An ongoing Solana (SOL) hack has affected more than 8,000 wallets and drained a (currently) estimated USD 4.5m-USD 8m worth of funds.
According to data compiled by crypto tracking platform MistTrack, four addresses linked to hackers have so far stolen USD 580m worth of crypto assets from over 8,000 wallets.
However, MistTrack stated that, excluding the value of EXIST “and other shitcoins,” USD 4.5m worth of SOL, USDC, USDT, bitcoin (BTC), and ethereum (ETH) have been stolen.
Based on the current amount of above assets held by the 4 addresses, we estimate the total loss is around ~$4.5M https://t.co/8Ayp1sfd97
— MistTrack🕵️ (@MistTrack_io) August 3, 2022
Still, blockchain investigator PeckShield estimated a higher loss, stating:
“So far, the loss is estimated to be USD 8m, excluding one illiquid shitcoin (only has 30 holds & maybe misvalued [USD] 570M).”
At around 10 UTC, the scanning tool for the Solana ecosystem, Solscan, provided a “real-time visualization dashboard” that shows the total value in the hacker’s wallets, token allocation in each wallet, analytics of the victims’ wallets, most exploited wallets, etc.
Per the dashboard, at 12:22 UTC, the total value transferred to the attacker’s wallet is USD 4.46m. Just below 50% of this is USDC, 35% is SOL, and 15% are other coins.
“Low liquidity tokens are removed from the report as they do not reflect the accuracy of the report,” Solscan said.
As the hack began, users started reporting that their funds have been drained without their knowledge from major internet-connected “hot” wallets, including Phantom, Slope, and TrustWallet. Some affected users have claimed that they haven’t interacted with any contracts in more than 40 days.
According to blockchain auditor OtterSec, the transactions are being signed by the actual owners, suggesting some sort of private key compromise. They asked all users of the affected wallets to move their assets “to a hardware [wallet] or a centralized exchange.”
The exact cause of the hack is still largely unclear though it appears to have predominantly impacted mobile wallet users.
The team behind Solana said that engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana.
“There is no evidence hardware wallets are impacted,” they added.
Meanwhile, Phantom said that “at this time, the team does not believe this is a Phantom-specific issue.”
According to Solana Labs co-founder Anatoly Yakovenko, only a token-specific delegation or an auto approve, or a leaked seed could transfer assets from a wallet on behalf of the user.
“Since system transfers are happening, that rules out delegation. There is no way an “interaction” could make a wallet vulnerable,” he added.
Yakovenko later added that this seems to have been an iOS supply chain attack, noting that imported keys too were compromises, and stating that,
“Multiple plausible wallets that only received sol and had no interactions beyond receiving have been affected,” […] “as well as key that were imported into iOS, and generated externally.”
A short while later, he notified the community that Android “seems to be affected” too, and that all of the confirmed stories up to that point in time “have had the key imported or generated on mobile,” adding that most of the reports “are slope, but a few phantom users as well.”
As for how this may be solved, Yakovenko called for more security on the part of Apple and Google.
— SMS aey.sol, 🇺🇸 (@aeyakovenko) August 3, 2022
“Despite reports that it was an iOS hack, certainly, it was not. There are confirmed reports of wallet-drains from non-iOS wallets and extensions. The data suggests this is not an attack on a specific wallet provider but rather multiple wallets on many operating systems (mobile and desktop, iOS and Android),” Dmytro Budorin, CEO of Hacken, a blockchain cybersecurity specialist, said in an emailed comment.
Also, according to him, while investigations into the attack have not been able to pinpoint the exact factors causing these hacks, in general, the attacker must have comprised a third party that must have ceded permissions to sign off on mass transactions.
“While this exploit model is very prevalent, projects can predict and hence, protect their users from such attacks. Yet, it will require creating a very ingenious predictive tool that projects can implement. Innovators can also find a way to bridge the wide gap or inconvenience in storing assets on a cold wallet and utilizing them for transactions on dapps [decentralized apps],” Budorin added.
In either case, since the hacker somehow obtained the ability to sign transactions on the behalf of users, others have also suggested a trusted third-party service may have been compromised in a so-called supply chain attack.
“Confirmed with the cross chain user that they imported their TrustWallet seed phrase into Slope. Both Slope & TrustWallet seem to use a single seed phrase cross-chain,” analyst Adam Cochran said. “Likely why we’ve seen so few cases on Ethereum directly. Suggests something exposing seeds w/ Solana apps?”
PeckShield also weighed in on the supply chain theory, stating that “the widespread hack on Solana wallets is likely due to the supply chain issue exploited to steal/uncover user private keys behind affects wallets.”
Meanwhile, Solana validator Laine has denied claims that validators blacklisted or plan to blacklist the wallets associated with hackers.
“We have not blacklisted anything nor are we aware of any discussion to do so. Explorers have blacklisted them, i.e. they are displaying warnings, but that doesn’t affect any transactions,” Laine said.
It's not a UI Error. It is common for explorers to flag exploit related accounts, etherscan does the same. This is to warn anyone interacting with such account of their affiliation to an exploit.
This has no bearing to any on-chain activity however.
— Laine ❤️ stakewiz.com (@laine_sa_) August 3, 2022
According to a Dune dashboard that tracks the amount of SOL stolen per minute, less than SOL 1 had been stolen around 7:20 UTC, before jumping up again. In comparison, the hack had started with over SOL 500 and even over SOL 1,000 at some point being rifled per minute.
At 7:20 UTC, the 9th coin per market capitalization, SOL, was trading at USD 38.67, down 4.1% over the previous 24 hours. It was up nearly 7% in 7 days and 16% in a month.
Meanwhile, Martin Hiesboeck, Head of Blockchain and Crypto Research at multi-asset digital money platform Uphold argued that, as blockchain grows and provides “a proven track record of benefits,” it is also displaying some of its weaknesses and issues. Users and developers are seeing more decentralized finance (DeFi) hacks through social media portals like Discord and Telegram, but “their ultimate entry is through the ERC protocols enabling smart contracts and NFTs,” he said.
However, Hiesboeck wrote in a comment shared with Cryptonews.com that,
“The Solana team has over time shown a blatant disregard for cybersecurity in statements published mostly on Twitter, emphasizing speed over security. Every chain update so far has made Solana ever more centralized and prone to exploits.”
Per this researcher, anyone involved in research has seen the risks clearly, but “calls for improvement have been consistently ignored by the core team members,” adding:
“In our considered opinion Solana has been, and continues to be a project set up to fail. The 2021 spike in prices was entirely due to venture capitalist speculation. Critics such as myself have described Solana as a “black hole of code”.”
One possible route is a "supply chain attack" where a JS library is hacked, and it exfiltrates (steals) users' private keys. Affected wallets seem to have been created in the last ~9 months, but there are reports of freshly created wallets also being affected.
— Emin Gün Sirer🔺 (@el33th4xor) August 3, 2022
— korg (@levicook) August 2, 2022
— Justin.sol (@JustinBarlow) August 3, 2022
(Updated at 07:50 UTC: updates throughout the entire text.
Updated at 9:46 UTC with iOS comments by Anatoly Yakovenko.
Updated at 12:30 UTC with Solscan dashboard data and Android comments by Yakovenko.
Updated at 14:13 UTC with comments by Martin Hiesboeck.
Updated at 15:15 UTC with comments by Dmytro Budorin.)