The $8mil Solana Hack: What We Know So Far
Crypto takes another hit as a recent exploit drains millions of dollars from wallets on the Solana blockchain.
AUGUST 8, 2022. NEWS. WRITTEN BY JENZ ALIPAR.
In a year dogged by large-scale hacks, the crypto community has been hit by yet another.
Solana, a top-10 cryptocurrency with over 200,000 active users, fell foul to it’s second major hack this year on August 2nd, draining an estimated $8mil of tokens from roughly 8,000 wallets, according to Elliptic.
The exact details of the hack are yet to be fully understood, but SOL – the native token of Solana – dropped by 4% as news of the hack broke, and is now down 12% across the past 7 days.
Here’s what we know so far.
Timeline of Events
In the late hours of August 2nd, the first evidence of an attack on Solana began to be reported across social media.
In response, Magic Eden, Solana’s leading NFT marketplace, took to Twitter to warn users and provide instructions on how to remove permissions for suspicious links.
🚨🚨🚨There seems to be a widespread SOL exploit at play that’s draining wallets throughout the ecosystem
Here’s what you can do right now to best protect yourself
1. Go to >Settings on your @phantom wallet
2. >Trusted Apps
3. >Revoke Permissions for any suspicious links
💜— Magic Ethen 🪄 (@MagicEden) August 3, 2022
Initial reports singled out Solana wallet provider Phantom, who tweeted that the team did not believe this was a Phantom-specific issue.
We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue.
As soon as we gather more information, we will issue an update.— Phantom (@phantom) August 3, 2022
Due to the nature of the exploit, crypto analyst and author @0xfoobar speculated that it could be a “supply chain attack” – a type of cyberattack that targets the victim’s account through a third-party vendor.
He also added that the widespread advice to revoke wallet approvals would not help unless users transferred their holdings to an offline hardware wallet.
Exploit cause unknown, might be an upstream dependency supply chain attack
Revoking approvals will probably not help – only transferring to an offline hardware wallet
Sample attacker wallet here https://t.co/PlasUDvrtM— foobar (@0xfoobar) August 3, 2022
Anatoly Yakovenko, Solana’s co-founder, further clarified that a wallet “interaction” could not make the network vulnerable.
Only a token specific delegation or an auto approve or a leaked seed could transfer assets from a wallet on behalf of the user. Since system transfers are happening, that rules out delegation. There is no way an “interaction” could make a wallet vulnerable https://t.co/Pdrmjk1WYZ
— SMS aey.sol, 🇺🇸 (@aeyakovenko) August 3, 2022
According to OtterSec, an independent blockchain auditor, the transactions were being signed by the wallets in question, suggesting compromised private keys.
Several addresses have already been linked to the attack and continue to be monitored by the community – one, two, three and four.
Solana Status, the official Solana announcement account, reported the approximate number of wallets affected and noted that “engineers from across several ecosystems in conjunction with audit and security firms, continue to investigate the root cause of the incident.”
This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network.
Updates will be posted to https://t.co/ivyoIbdCDP as they become available. 2/2— Solana Status (@SolanaStatus) August 3, 2022
Later that day, foobar shared what he had gathered from his own investigation, singling out software wallet Slope for sending seed phases – the set of random words that gives full access to a wallet – to external partners in plain text.
Solana hack – looks like the Slope wallet sent plaintext seed phrases to external integration partners.
Compromised Phantom wallets came from seed phrase imports used in Slope. Compromised ETH wallets were also from seed phrase reuse.
Not a blockchain or randomness issue.— foobar (@0xfoobar) August 3, 2022
Phantom responded, indicating that affected Phantom wallets had also previously interacted with a Slope wallet, corroborating foobar’s claims.
1/ Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from @slope_finance.
We are still actively working to identify whether there may have been other vulnerabilities that contributed to this incident. https://t.co/W5B19gbMJX— Phantom (@phantom) August 3, 2022
A few hours later, Solana confirmed foobar’s findings, pointing towards Slope as the source of the exploit.
After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2
— Solana Status (@SolanaStatus) August 3, 2022
Slope released an official statement, acknowledging that many of its users were victims of the hack, but refusing to take outright responsibility or provide further details.
The team committed that they are working with top external security and audit groups to conduct their investigations and are now “working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify the breach.”
What This Means
At this point, it is unclear whether the vulnerability is solely limited to Slope, as some users have reported losing tokens on Solana and Ethereum.
This incident, however, underscores the need for caution and the importance of both consumer awareness and utilising the best security practices when using any cryptocurrency platform.
How To Protect Yourself
Here are a few ways to protect yourself and your wallets from threats and malicious attacks.
- Always do you own research before trusting your data to a third-party
- Only download applications and software from trusted, reliable sources
- Unless absolutely required, disable direct messaging on Discord and Telegram (as these are common vectors for attack)
- Bookmark known safe websites and only use those links
- Never share your seed phrase to anyone – person or platform
- Spread your holdings across multiple wallets
- Store long-term holdings in a dedicated cold wallet
