Attention investors, traders, and Web 3.0 BUIDLers! There has been a breach. A breach specifically affecting the Solana ecosystem for now! Solana-specific wallets— Phantom, Trust, and Slope have been the focal points of this attack.
What’s happening with Solana?
The ongoing exploit seems to be draining online wallets, with multiple users complaining about lost funds, almost $5 million in total. As of now, over 8000 wallets have been attacked. And it’s not just SOL that is being aimed at by the attackers.
Several users have also reported losing their USDC tokens.
Note: USDC tokens are SPL or Solana Program Library tokens and represent the assets that can live in Solana’s ecosystem.
How did Solana wallets get compromised?
While the exact reason for the exploit is still being investigated, initial trends suggest that the exploit is more of a mobile-specific issue tied explicitly to the Slope wallet.
Consider this: every online wallet that resides on your phone requires a private key to allocate an address. The private key is the one that you need to be most concerned about. However, private keys aren’t fixed, but a set of random numbers and figures generated primarily by the core hardware (mobile system) the wallet is on.
Currently, the process of randomization specific to the mobile devices having these wallets functional, seems flawed. Hence, the private keys are getting widely compromised, and concerned wallets drained.
Recent developments suggest that all the affected addresses originated from the Slope wallet applications. Some addresses were created on Slope while some were imported or even used there.
The private key exploit, which is gaining certainty over time, seems to have been initiated at Slope’s end with Slope developers pushing the ‘Plain Seed Phrases’ to third-party resources and servers.
A blunder, indeed!
Slope statement regarding the breach situation:https://t.co/IhSw4LSVOT
— Slope (@slope_finance) August 3, 2022
Another reason could be the seed phrase compromise. For those unfamiliar, a seed phrase is a random set of terms generated by your crypto wallet during the initial setup. The seed phrase can be useful if you forget the wallet password and plan on resetting it. In the case of online wallets, having the seed phrase stored on the hardware disk also seems like a reason behind the ecosystem-wide exploit.
What can users do to keep their crypto secure?
The best way to sort this out is to get hold of a reliable hardware wallet and transfer funds from the online wallet to the hardware/cold wallet (wallet with no internet connectivity).
In case that’s not an option and you are still stuck inside those non-custodian wallets (Phantom, Slope, and Trust), try heading over to the wallet ‘Settings,’ ‘Trusted Apps’, and revoke third-party app access or suspicious link permissions.
Note: Trusted apps are no good. They are only meant to connect the crypto wallet to websites to speed up things when you visit next— more like a website cache.
A recent twitter space conducted by Wallet Guard had experts suggesting the use of desktop wallets in the interim as all the reported breaches have been mobile-focused. Yet, this solution seems largely speculative for now and requires hard pieces of evidence.
What can BUIDLers do?
BUIDLers, who are planning to start their projects on specific ecosystems, including Solana, should be more careful now. Here are the steps to avoid losing face in the future:
- Check the history of the ecosystem wallets in case you want to go non-custodial while incentivizing the project.
- Move to larger ecosystems where attacks aren’t common or take time to spread out. (The latest Solana exploit drained 5000+ wallets in under 30 minutes).
- Try storing seed phrases elsewhere, preferably somewhere offline.
- Even though wallets like Phantom removed auto approvals long ago, check for the wallets that still allow third-party auto approvals and revoke permissions beforehand.
- Keep doing your own research and educating yourself before entering any project and eventually using the project/ecosystem resources for incentivizing innovation.
Confirmed with the cross chain user that they imported their TrustWallet seed phrase into Slope.
Both Slope & TrustWallet seem to use a single seed phrase cross-chain.
Likely why we've seen so few cases on Ethereum directly. Suggests something exposing seeds w/ Solana apps?
— Adam Cochran (adamscochran.eth) (@adamscochran) August 3, 2022
What is the current situation?
The price of Solana’s native token SOL has dipped close to 2% since news of the breach surfaced (as of 5.40 PM, 4 August). With regards to plugging the loophole, Solana has self-initiated a DDoS (distributed denial of service) attack to take the RPC or real-to-virtual connecting nodes offline. Yes, another outage, but this time for a good cause.
So: there is a DDOS attack underway on #Solana's RPC nodes —
— to destroy RPC availability to ANOTHER attack which is draining Solana wallets of millions right now.
So a new attack to slow down an ongoing hack that so far, nobody understands, and nobody can stop. https://t.co/Fc9S7z720V
— Mark Jeffrey (@markjeffrey) August 3, 2022
It has come to light that the widespread attack had nothing to do with the Solana protocol or the associated cryptography required to generate private keys. It was all Slope. Even the Phantom wallets that were drained had previously interacted with corresponding Slope wallets.
Here is a tweet thread by Solana Status, retweeted by Solana’s official Twitter hand:
After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2
— Solana Status (@SolanaStatus) August 3, 2022
We believe that this discussion is just the tip of this exploit-specific iceberg. We expect more things to come to light and will keep updating the post, in case some new information shows up. Investors should be vigilant and take all possible necessary precautions to safeguard their funds.