In early May, the Solana community uncovered a troubling vulnerability in a widely used stake delegation system. The flaw wasn’t hidden in obscure code but in the logic itself. Throughout 126 epochs, it quietly enabled certain validators to extract tens of thousands of SOL in value at the expense of stakers.
This isn’t just a story about lost funds. It’s a case study in how validator incentives, delegation design, and transparency shape the integrity of staking ecosystems.
What Happened
One Solana-based staking platform uses an auction-based delegation model, where validators submit bids to receive stake from a pool. The goal is to create a competitive environment that maximizes APR for stakers by allocating SOL to validators offering the best performance-to-cost ratio.
However, several validators discovered a flaw in this system:
- They bid high to win stake allocations.
- After securing the delegation, they lowered their bids and bond amounts and continued to get high stake.
- This allowed them to retain large portions of stake at a much lower cost, while still appearing competitive in future epochs.
As a result, the platform continued allocating stake to validators who had essentially stopped paying for it, draining value from the pool without providing equivalent returns.
Throughout 126 epochs, this behavior resulted in an estimated 37,000 SOL in diverted rewards, a value that could have gone to users but was instead captured by a handful of validators.
The outcome was that stakers were consistently underpaid. Users received far less than the APRs they were promised, even though the system showed numbers that looked healthy on the surface.
The Response
Once the issue gained public traction, the platform’s team released a patch. The update now penalizes validators who reduce their bids after securing delegation — a clear indication that the original design didn’t fully anticipate this kind of manipulation.
The incident was framed not as a critical bug but as a “known inefficiency.” That may be technically accurate. Ethically, however, it left room for exploitation.
Why It Matters
This wasn’t just a one-off exploit—it exposed how easily delegation systems can be gamed when incentives go unchecked. Users lost more than rewards: clarity, control, and trust.
The validators behind this exploit were also running sandwich attacks — extracting value from regular users and harming the broader network. To make things worse, the inflated APRs created by this behavior gave users a false sense of value. A high yield isn’t always a good sign — sometimes, it’s the first warning.
In this case, it signaled a broken system. Users were underpaid, and governance was prioritized over short-term profit.
When reward logic can be manipulated, the real damage isn’t just financial—it’s reputational. And that raises a bigger question: What does ethical validator behavior actually look like?
What We’ve Learned
As one of the largest non-custodial validators in the industry, we believe this incident brings several vital lessons to the forefront:
- Ethical validators don’t exploit known inefficiencies.
Just because something is technically possible doesn’t make it acceptable. Responsible validators operate with a long-term view, not a short-term arbitrage mindset.
- Transparency isn’t optional.
If a staking platform uses complex delegation mechanics, it must also make the logic and validator selection process accessible and auditable. This is especially critical in liquid staking models, where users don’t choose their validator directly.
- Incentive design must evolve—and fast.
Any staking system that rewards behavior like bid manipulation or MEV extraction must be re-evaluated. Without aligned incentives, even well-intentioned platforms can enable harmful behavior.
- Users deserve clarity and control.
Whether you’re staking 1 SOL or 10,000, you have a right to know how your funds are used, how rewards are calculated, and whether those systems are built on integrity.
Our Commitment at Everstake
Everstake was not involved in any part of this exploit. We do not participate in sandwich attacks, bid manipulation, or any practice that undermines network fairness.
Our role is to support decentralization, not distort it. We build infrastructure that prioritizes reliability, transparency, and ethical alignment—and we actively support open auditing and responsible delegation logic across the networks we serve.
Final Thoughts
This incident reminds us that the incentives behind validator delegation must be carefully designed and continuously evaluated. Users deserve clarity about where their stake goes, how rewards are calculated, and what validator behaviors are rewarded or punished.
And one more reminder: if a validator’s advertised APR looks too good to be true, far above the network average, that’s often a red flag, not a selling point. Responsible staking means asking questions, doing your own research, and choosing validators who prioritize the network’s health, not just profit.
To those staking with Everstake—whether directly or via third-party platforms—know this: you’re delegating to a team that prioritizes long-term trust over short-term gain, integrity over opportunism, and sustainability over exploitation.
Stake with Everstake | Follow us on X | Connect with us on Discord
***
Everstake is a software platform that provides infrastructure tools and resources for users but does not offer investment advice or investment opportunities, manage funds, facilitate collective investment schemes, provide financial services, or take custody of, or otherwise hold or manage, customer assets. Everstake does not conduct any independent diligence on or substantive review of any blockchain asset, digital currency, cryptocurrency, or associated funds. Everstake’s provision of technology services allowing a user to stake digital assets is not an endorsement or a recommendation of any digital assets by it. Users are fully and solely responsible for evaluating whether to stake digital assets.
