Crypto takes another hit as a recent exploit drains millions of dollars from wallets on the Solana blockchain.
In a year dogged by large-scale hacks, the crypto community has been hit by yet another.
Solana, a top-10 cryptocurrency with over 200,000 active users, fell foul to it’s second major hack this year on August 2nd, draining at least $5mil of SOL and NFTs from roughly 8,000 wallets, according to Elliptic.
The exact details of the hack are yet to be fully understood, but SOL – the native token of Solana – dropped by 4% as news of the hack broke, and is now down 12% across the past 7 days.
Here’s what we know so far.
What Happened
In the late hours of August 2nd, the first evidence of an attack on Solana began to be reporting across social media. Early indications suggested that wallets were being compromised through permissions granted to a smart contract.
In response, Magic Eden, a popular Solana NFT marketplace, took to Twitter to warn users and provide instructions on how to remove permissions for suspicious links.
????????????There seems to be a widespread SOL exploit at play that’s draining wallets throughout the ecosystem
Here’s what you can do right now to best protect yourself
1. Go to >Settings on your @phantom wallet
2. >Trusted Apps
3. >Revoke Permissions for any suspicious links????
� Magic Ethen ???? (@MagicEden) August 3, 2022
However, due to the nature of the exploit, crypto analyst and author @0xfoobar speculated that it could be a�”supply chain attack,” a type of cyberattack that targets the victim’s account through a third-party vendor.
He also added that the widespread advice of revoking wallet approvals would not help unless users transfer their holdings to an offline hardware wallet.
Anatoly Yakovenko, Solana Labs co-founder, further clarified that a wallet interaction could not make it vulnerable.
“Only a token specific delegation or an auto approve or a leaked seed could transfer assets from a wallet on behalf of the user. Since system transfers are happening, that rules out delegation.”
Only a token specific delegation or an auto approve or a leaked seed could transfer assets from a wallet on behalf of the user. Since system transfers are happening, that rules out delegation. There is no way an �interaction� could make a wallet vulnerable https://t.co/Pdrmjk1WYZ
� SMS aey.sol, ???????? (@aeyakovenko) August 3, 2022
According to OtterSec, an independent blockchain auditor, the transactions were being signed by the wallets in question, suggesting compromised private keys.
Several addresses have already been linked to the attack and are still being monitored by the community – Hacker’s Wallet 1, 2, 3 and 4.
Solana Status, the network’s�official�Twitter account for announcements, reported the approximate number of wallets being drained and noted that “engineers from across several ecosystems in conjunction with audit and security firms, continue to investigate the root cause of the incident.”
Posting to Twitter, the account declared: �
“This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network”.
This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network.
Updates will be posted to https://t.co/ivyoIbdCDP as they become available. 2/2
� Solana Status (@SolanaStatus) August 3, 2022
The initial reports singled out the Solana browser wallet Phantom who in defense tweeted that the team does not believe that this is a Phantom-specific issue.
On Wednesday afternoon, Solana Status shared preliminary findings of the investigation, and the hack is now being blamed on a private key exploit tied to the mobile software wallet, Slope.
Slope, the web-based cryptocurrency wallet, released its official statement as it acknowledge that many of its users were included in the hack but did not disclose specific details on what happened, nor has the firm taken responsibility for the attacks.
The team committed that they are working with top external security and audit groups to conduct their investigations and are now “working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify the breach.”
Whilst some Phantom wallets were also drained of their tokens in the attack; it appears that those holders had previously interacted with a Slope wallet.
� The Phantom team turned to Twitter, saying: �
“Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from Slope.”
1/ Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from @slope_finance.
We are still actively working to identify whether there may have been other vulnerabilities that contributed to this incident. https://t.co/W5B19gbMJX
� Phantom (@phantom) August 3, 2022
What This Means
At this point, it is unclear whether the vulnerability is limited to the Slope wallet, as some users reported losing tokens on Solana and Ethereum.
This incident, however, clearly underscores the absolute need for caution and the importance of best consumer awareness and cyber security practices when using any cryptocurrency platform.
How To Protect Yourself
Here are a few ways to help protect yourself and your crypto accounts from threats and malicious attacks.
- DYOR or do your own research and always visit the original websites.
- When downloading applications and software, only download from reliable sources.
- Disable direct messaging on Telegram and Discord (as these are common targets of attackers).
- Only click and visit official websites of your community.
- Do NOT send or share your seed phrase to anyone or any online web form requesting for it.
- Do not keep all your crypto holdings in one wallet and have multiple wallets for different transactions.
- If possible, store your money in an offline hardware wallet (cold wallet).
Let�s connect�
> Follow us on Twitter (X)
> Learn more about us
> Contact us
Blockchain evangelist. Content creator & graphic design hobbyist. Loves gaming!