Solana Wallet Hack: Here’s What We Know So Far

Update, August 3, 4:50 PM ET: Solana developers claim to have identified the root cause of the hack: compromised private keys “created, imported, or used in Slope mobile wallet apps.” Read all the details here.

Solana users from afar last night were surprised to find that their the wallets were emptied of the GROUND, the USDC stablecoinand others based on Solana tokens in widespread and continuous piracy. As of this writing, approximately $4.46 million worth of coins and tokens have been collected so far.

According to blockchain explorer Solscan, the wallets of the four identified attackers collectively attacked approximately 15,200 wallets, although there may be some overlap between their targets. The official Solana Status account on Twitter put the count at around 8,000 unique wallets earlier this morning.

As the attack seemingly continues, the core team and the network’s founder have begun sharing theories about what’s going on. According to Solana Status, “engineers from multiple ecosystems, together with auditing and security companies, continue to investigate the root cause” of the attack.

“This does not appear to be a bug with Solana’s core code,” he added, “but in software used by several popular software wallets among network users.”

This theory matches the shift in sentiment last night and overnight by the developers and security experts at Solana. Initially, some thought the exploit was related to persistent permissions users may have previously granted to a smart contract, and many platforms, such as best market NFT Magic Eden— urged Solana users to revoke all permissions.

However, that didn’t seem to help since the transactions were being signed, thus suggesting a compromise of the users’ private keys. Instead, as the Solana Status update suggests, the current prevailing theory is that code in software-based wallet apps is somehow exploited to allow access. to the assets of the holders.

Anatoly Yakovenko, co-founder of Solana and CEO of Solana Labs tweeted overnight that it “looks like an attack on the iOS supply chain”, suggesting the issue was with wallets used on Apple’s iPhone and iPad devices. However, based on additional evidence, he added in a later tweet that Android users are also affected.

“All confirmed stories so far have had the key imported or generated on mobile,” he wrote, noting that the majority of confirmed wallets were from Slope, including some from Phantom. Hardware wallets don’t seem to be affected at all. Adam Cochran, Notable Crypto Investor written this morning that it is “90% [sure] this is related to using Slope or importing into Slope.

When asked by a user what Solana developers can do to fix this issue in the future, Yakovenko replied“Damn Apple and Google can offer us secure in-device signing and recovery. Damn hell.

Slope’s Twitter account did not tweet since last night, when he wrote that the team was “actively working to fix the problem.” Likewise, Ghost last tweet last night with a similar message, but added that he didn’t “think this was a Phantom-specific issue” at the time.

Blockchain security firm OtterSec has asked affected users to fill out a form with details of their portfolio and activity. Yakovenko and other notable Solana developers shared the same form in hopes of amassing more data on the exploit.

The Solana network was sometimes inaccessible or difficult to use last night due to partial outages with RPC nodes that facilitate network traffic. Apparently the slowdown was due to the efforts of a user who tried to slow down or stop the attack by overwhelming the Solana network with transactions in a DDOS-like frenzy.

Solana (SOL) initially saw a significant price drop following the initial attacks last night, with the price dropping around 8% in two hours. However, it has somewhat rebounded to a current price of just over $40 a coin, down around 2% in the last 24 hours.