TL;DR: I found a critical bug on Loyal [@loyal_hq] that let anyone drain any user's private balance using only their public address. I reported it privately, the Loyal team fixed it within days.
Loyal is a privacy protocol on Solana: you deposit funds into a shielded balance that stays private and earns yield, and you can send it to others privately. It's Telegram-first.
I was exploring the Loyal protocol for a possible integration into Swish. I didn't set out to find a bug. I was solving a UX problem. When you shield through Loyal with an external wallet like Phantom, the wallet warns "this transaction may fail, funds may be lost." It's a false alarm. Loyal relies on MagicBlock's delegation, which wallet simulators can't model but a warning like that loses users, so we set out to remove it.
The approach was to let the server handle the steps that trigger the warning, while the user's wallet only signs the parts it can simulate cleanly. To do that safely, I had to map exactly which of Loyal's actions required the owner's signature and which didn't.
That audit is what surfaced the bug. The instruction that moves a shielded balance didn't require the owner's signature. It only checked that the owner's address was listed in the transaction, and an address is public information. In practice, anyone could move someone else's shielded balance to themselves using only the victim's public address, with no permission from the owner. That affected every shielded balance on the protocol.
I confirmed it with a minimal test moving ~$0.10 between two of our own wallets and returning it which was enough to verify the issue was real, nothing more. I didn't publish it. I reported it privately to the Loyal team the same day, with the root cause, a reproduction, and the fix needed.
The Loyal team fixed it within days: transfers now require the owner's signature. I re-ran our test against the patched contract, and it was rejected for a missing owner signature. Confirmed resolved.
Super glad it's resolved, and credit to the Loyal team for the quick turnaround.
Weโre proud to announce the winners of Umbraโs Colosseum Frontier Hackathon sidetrack!
Each project used the Umbra SDK to bring private payments, wallets, and financial flows to Solana.
1st place: @swishdotcash
Swish is building private, simple payments powered by Umbra. By integrating the Umbra SDK, Swish lets users send and receive funds without exposing their financial activity onchain.
Love the initiative by @drpeepee and @therealchaseeb โค๏ธ
You guys can also directly donate to @justt_sunnyy via Swish. It's private and you don't even need to know her donation address!