Solana-based wallet hack drains more than $6M in ongoing attack

A massive exploit has struck the Solana blockchain ecosystem that led to the compromise of more than 7,000 SOL-based wallets by an unknown attacker starting in the late evening on Tuesday.

The genesis of the attack appeared to begin within the Solana-based Phantom wallet, but it was discovered that it also affected the Slope wallet.

Users who had their wallets drained appeared to have their private keys compromised and all of their funds taken. The funds affected were primarily Solana (SOL) and USD Coin stablecoin tokens, however many other cryptocurrencies were also stolen. The wallets affected by the attack all appeared to be inactive for more than six months.

As of about 1 a.m. EDT today, Solana tweeted that 7,767 wallets had been affected. Solana Labs co-founder and Chief Executive Anatoly Yakovenko said on Twitter that the exploit was most likely a “supply chain attack” using the iOS operating system, although some reports also came from Android users.

“All the confirmed stories so far have had [a private] key imported or generated on mobile,” said Yakovenko.

Update: An investigation by Slope revealed that some of its wallets had been compromised in the breach. The company said that it was “actively conducting internal investigations and audits” and “working with developers, security experts, and protocols” to identify and fix the problem. Slope further urged users to create new and unique seed phrase wallets and transfer all assets. Users who are using hardware wallets have not been compromised.

Solana also updated its status on Twitter, saying, “After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported or used in Slope mobile wallet applications… There is no evidence the Solana protocol or its cryptography was compromised.”

Although the details of how the breach occurred are still under investigation, Solana’s update added that the private key information had been “inadvertently transmitted to an application monitoring service.”

Blockchain analysis firm PeckShield also agreed that it was most likely a supply chain attack.

A supply chain attack happens when an attacker slips malicious code into a piece of software through a trusted component, such as a library from a third party. For example, a hacker could modify a piece of code that displays a button on a user interface with a hidden backdoor. That code could then be used normally to display the button, but it would also have a malicious backdoor in it.

Yakovenko concluded that a supply chain attack from the iOS operating system had been the culprit because all of the wallets exploited had been idle for such a long time and had no interaction with any other apps. This suggested that the attackers did not get users to log into their wallets or use malicious links to access them.

“A platform is only as secure as its weakest link,” Yale Fox, member of the Institute of Electrical and Electronics Engineers, told SiliconANGLE. “This is why organizations need to consider their vulnerabilities to supply chain-based software attacks,”

The problem is more widespread than it might appear, Fox explained, noting the recent 35,000 GitHub projects discovered to have been cloned and injected with malware. The original open-source projects were unaffected; however, they had been forked and their lookalikes had been modified with backdoors.

Crypto investor and analyst Miles Deutscher estimated that the hack led to the theft of approximately $6 million in assets, whereas blockchain analysis firm PeckShield estimated more than $8 million.

This hack comes after the Solana blockchain suffered multiple outages in 2022, with the fifth outage occurring in June that lasted approximately four hours.

“With a locked valuation of nearly $14 billion USD, the $8 million USD lost in this Solana hack is a drop in the ocean,” Max Kordek, co-founder and chief executive of Lisk, a blockchain application development platform, said in a statement to SiliconANGLE. “The problem here lies rather in the large number of likely real-world users of Solana affected. This hack is a consecutive security problem with their platform that will cause confidence in the platform to decrease.”

It also comes a day after an exploit of the Nomad token bridge led to the theft of almost $200 million. The exploit was caused by a vulnerability as part of a routine upgrade to the bridge that allowed attackers to spoof any message on the bridge.

It’s the second major hack in August, which is included in the 11 major hacks for 2022, according to Blockworks. The biggest of which was an exploit where attackers stole $615 million worth of cryptocurrency tokens from the Ronin Bridge which supported the crypto collector game Axie Infinity.

Experts have said that as blockchain and crypto innovation continue to expand at a breakneck pace, the systems to maintain security need to keep up, otherwise, these types of exploits, bugs and hacks will continue to plague the industry.

“Disruptive technologies are volatile and, with that, bring significant risk and great rewards,” said Daniel Keller, co-founder of decentralized cloud infrastructure provider Flux. “Most of the developers in the blockchain space are learning on the fly, as they come from conventional technology stacks and are retrofitting their skills. Education will become a driving force for better and more secure programming. We all must remember that technology is not born but instead, developed.”