Solana under siege, wallets hacked in multimillion-dollar attack

A total of more than 8,000 Solana wallets were drained of millions of dollars. Solana’s price dropped tremendously after hours. The hack had already compromised internet-connected wallets, but the source of the attack seems to remain unknown.

With many users reporting that their funds are now empty, the Solana system seems to be a victim of the newest cyberattack in crypto. What’s worrisome is that the attack is still ongoing. The attack affected most of the Solana addresses. Those wallets gather at least $5 million worth of SPL, SOL, and other Solana-based tokens.

The unknown hacker seemed to have targeted Phantom first, a Solana browser wallet. Experts are looking into a possible compromise of user keys involving seed phrases that users re-used on other wallets in varying chains.

We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue.

As soon as we gather more information, we will issue an update.

— Phantom (@phantom) August 3, 2022

Blockchain audit firm Ottersec reported, “Over 5,000 Solana wallets have been drained in the past few hours. These transactions are being signed by the actual owners, suggesting some private key compromise.”

Furthermore, while the cyberattack remained unclear, it’s evident that it significantly affected mobile wallet users. A trusted third-party service may have jeopardized the supply chain attack.

Moreover, engineers all across the web, together with the other blockchains, are working on digging deep into the cause of the attack and the extent of its damages. 

UPDATE: Over 8,000 #Solana wallets have fallen victim to the on-going hack, with more increasing by the minute.

— Watcher.Guru (@WatcherGuru) August 3, 2022

A spokesperson for the Ethereal wallet Metemask told Decrypt, “We are actively communicating with the affected wallet teams to offer our help and monitor if there is anything e can do to keep our users safer.”

Solana’s value plunged

Hours after the news of the crypto exploit broke, Solana’s value dropped 8% significantly. While its native token SOL dropped 4% after the attack. According to CoinMarketCap, there’s also a 45% increase in Solana’s trading volume in the past 24 hours. 

Magic Eden, a known Solana marketplace, posted on Twitter warning users of the latest exploit. The tweet says, “There seems to be a widespread SOL exploit at play draining wallets throughout the ecosystem.” Magic Eden also included tips on how to remove permissions from suspicious links.

🚨🚨🚨There seems to be a widespread SOL exploit at play that's draining wallets throughout the ecosystem

Here's what you can do right now to best protect yourself
1. Go to >Settings on your @phantom wallet
2. >Trusted Apps
3. >Revoke Permissions for any suspicious links

💜

— Magic Eden 🪄 (@MagicEden) August 3, 2022

Phantom assured me they are probing the reported exploits. “We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. Currently, the team does not believe this is a Phantom-specific issue. We will issue an update once we gather more information.”

However, the attack doesn’t seem solely targeted at Solana. One of the USDC users reported that his balance was also empty.

Hacker theories

Crypto author and analyst @oxfoobar confirmed that “the attacker is stealing both native tokens (SOL) and SPL tokens (USDC). It is affecting wallets that have been inactive for less than six months.”

https://twitter.com/0xfoobar/status/1554627762807349249?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1554627762807349249%7Ctwgr%5Ee23e2194feb357811a6c11b78123124618f5e3b1%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fdecrypt.co%2F106590%2Fmultiple-wallets-including-sol-and-usdc-drained-in-unfolding-attack

Only a token specific delegation or an auto approve or a leaked seed could transfer assets from a wallet on behalf of the user. Since system transfers are happening, that rules out delegation. There is no way an “interaction” could make a wallet vulnerable https://t.co/Pdrmjk1WYZ

— toly 🇺🇸| bip-420 (@aeyakovenko) August 3, 2022

He concluded that the attack might be an “upstream dependency supply chain attack, ” so he advised that the circulating tips of revoking wallet approvals might not help. He suggested that transferring to an offline hardware wallet is a better course.

@oxfoobar added, “The users themselves sign these SOL and SPL transfers, not transferred away by a third party using approvals. So while you can revoke, it’s likely something has caused widespread private key compromise.”

Until experts have resolved this attack, the issue will fuel an existing debate around hot wallets’ security as they stay connected to the internet all the time to give users an easier way to store, send, and receive crypto. USB drives connected to computers, also known as Cold wallets, are more secure. But they are less convenient to use.