Over 8K Solana wallets drained of funds, $10M estimated missing
The attack mostly affected mobile Solana wallets and most of the breach reports came from Phantom and Slope users.
Over 8000 Solana (SOL) wallets were drained of millions by an exploit that started in the late hours of August 2.
So far more than 8000 wallets and ~$580M were stolen by the following 4 addresses.
Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu
5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3n
GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy pic.twitter.com/N7wJlCOi8p— MistTrack🕵️ (@MistTrack_io) August 3, 2022
However, Peckshield noted that the total loss is estimated to be less than $10 million if the value of illiquid coins involved in the attack is removed.
#PeckShieldAlert The widespread hack on Solana wallets is likely due to the supply chain issue exploited to steal/uncover user private keys behind affects wallets. So far, the loss is estimated to be $8M, excluding one illiquid shitcoin (only has 30 holds & maybe misvalued $570M) pic.twitter.com/aTGNsTc6d8
— PeckShieldAlert (@PeckShieldAlert) August 3, 2022
The attack mostly affected mobile Solana wallets connected to the internet like Phantom, Solflare, TrustWallet, and Slope. But most of the breach reports came from Phantom and Slope users.
The cause of the exploit and the hackers’ identity remain unknown.
Meanwhile, four wallets have been identified to be holding all the stolen funds.
The exploit has been draining Solana, other Solana-based tokens, and USDC. Otter added that the exploit has also affected some Ethereum (ETH) users.
The cause of the attack is still unknown
The crypto community remains at a loss on the cause of this exploit.
Solana Foundation’s co-founder Anatoly Yakovenko posited that the exploit “seems like an iOS supply chain attack,” a view shared by some other community members.
Seems like an iOS supply chain attack. Multiple plausible wallets that only received sol and had no interactions beyond receiving have been affected. https://t.co/ne0g3ZmLH5
As well as key that were imported into iOS, and generated externally.https://t.co/hStAr1mU6Q
— SMS T◎ly, 🇺🇸 (@aeyakovenko) August 3, 2022
PSA: If you are using Phantom or Slope wallet on Solana, please move your funds to an exchange or a hardware wallet ASAP.
There is an ongoing attack draining these wallets. Most likely a supply chain attack.
ps Funds on Fox Wallet are Safu because LavaMoat is GOAT.
— Mudit Gupta (@Mudit__Gupta) August 3, 2022
Two important lessons:
– Solana was written on Rust that's positioned as secure language. Language itself doesn't provide high security. That's why we've selected C language.
– Most probable cause is supply chain attack. That's why Cellframe almost has no 3rd party components https://t.co/4FWlieKj5U— Dmitriy Gerasimov (@naeper) August 3, 2022
According to Christine Kim, a supply chain attack “is like a Trojan horse style attack in that a hacker slides in malicious code without anyone noticing to one of the GitHub repos or libraries that the targeted application/product relies on and uses.”
Basically, a supply chain attack is like a Trojan horse style attack in that a hacker slides in malicious code without anyone noticing to one of the GitHub repos or libraries that the targeted application/product relies on and uses.
— Christine Kim (@christine_dkim) August 3, 2022
Emin Gün Sirer, Ava labs CEO, mentioned four possible causes of the exploit. According to him, the attack could have been caused by a “supply chain attack,” a “faulty random number generator,” or a “browser exploit/zero-day.”
There's an ongoing attack targeting the Solana ecosystem right now. 7000+ wallets affected, and rising at 20/min. Because it's very early and the attack is ongoing, there's a lot of misinformation and speculation. So here are a few thoughts and clarifications.
— Emin Gün Sirer🔺 (@el33th4xor) August 3, 2022
However, these reasons have a different loophole that makes it difficult to pin the attack on any of them.
Sirer continued that the possible cause of this hack could be “a potential nonce reuse that ends up revealing the private key.”
Blockchain security firm OtterSec had written that the transactions were “being signed by the actual owners, suggesting some sort of private key compromise.”
These transactions are being signed by the actual owners, suggesting some sort of private key compromise. pic.twitter.com/UTMq4NWErd
— OtterSec (@osec_io) August 3, 2022
Solana, Phantom, and Slope have revealed that they are investigating the exploit and will provide further information soon.
Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.
This thread will be updated as new information becomes available.
— Solana Status (@SolanaStatus) August 3, 2022
Meanwhile, users have been advised to stop using the compromised wallet. The network advised users to use a hard wallet, while some community members also said sending the tokens to a centralized exchange could protect the funds.
There is an active security incident on Solana. Many (7000+ and counting) wallets are drained of SOL & USDC. Don't know root cause yet. Maybe permissions granted to apps. For remediation, send the funds to a cold wallet or CEX like @Binance. https://t.co/nQrBXAgCbf
— CZ 🔶 Binance (@cz_binance) August 3, 2022
Solana nodes are down
Available information also revealed that Solana nodes are currently down. The nodes were reportedly placed under a DDoS attack to slow down the hacker.
Many Solana RPC Nodes appear to have stopped serving requests, might be due to load or intentional.
This does not affect the underlying chain in any way. The chain is operating as normal.
Your wallet or explorer might not be loading right now, the chain is operating as normal.
— Laine | stakewiz.com (@laine_sa_) August 3, 2022
Meanwhile, the Solana blockchain is still running.
However, crypto community members have questioned the rationale behind the attack as the hacker could continue with the exploit when the network resumes full operation.
As of press time, Solana’s network has lost around 2% of its value in the last 24 hours and is currently trading for $39.87.