Blog » Solana Wallet Hack. What happened?

Solana Wallet Hack. What happened?

3 min read

Earlier this week, the Solana crypto community was rocked by what looked like an unsolvable hack that drained roughly $4.5 million in SOL from several thousand users’ wallets. 

An initial estimate by the team at MistTrack had identified 8,000 affected wallets with their funds being siphoned off to four addresses belonging to the alleged perpetrators. Another report by Decrypt gave a 15,200 estimate of affected Solana wallets.  

Additionally, the MistTrack team estimated that the combined losses could have been $580 million if the calculations factored in the value of an obscure token known as EXIST, also stolen by the hacker. 

What Initial Reports Stated Was the Cause of the Solana Hack and Recommendations to Keep SOL Users Safe.

With the attack being identified late Tuesday, August 2nd, details of how it unfolded are slowly coming to light. 

In the early hours of the exploit, the team at PeckShield had narrowed down the probable cause to a supply chain issue affecting some Solana wallets. They went on to identify TrustWallet and Slope Wallet as potentially being compromised. According to their analysis, the attacker somehow had managed to steal or uncover the private keys of users of specific Solana wallets.

Crypto and DeFi community member @0xfoobar also narrowed down the problem to a supply chain issue that revealed private keys. He identified that the hack affected Phantom and Slope wallets users, who had been inactive for more than six months. He recommended that Solana holders transfer their funds to a hardware or crypto exchange wallet as they seemed not to be affected by the problem. 

The crypto exchanges of Binance, OKX, and KuCoin, through their respective CEO’s also recommended that Solana holders transfer their SOL to the three platforms for safe keeping as the root cause of the issue was being investigated. 

Solana’s engineers also looked into the issue. They concluded that the problem was not a bug in the Solana core code but a weakness in software used by popular third-party SOL wallets. They recommended Solana holders transfer their SOL to hardware wallets as they seemed not to be affected by the flaw. 

Further Investigations Revealed Slope Wallet Stored Private Keys as Plain Text. 

As investigations intensified to find the root cause of the problem, several answers began to emerge.

Firstly, the OtterSec team separately confirmed that Slope Wallet users were affected. From their investigations, Slope’s mobile app sends private key mnemonics through TLS to their centralized Sentry server. The mnemonics are then stored in plain text, which means anyone with access to their Sentry server could access users’ private keys. 

Secondly, Solana engineers also established that Slope Wallet’s private key information was somehow transferred to an application monitoring service leading to users’ funds being compromised. 

Thirdly, the Slope Finance team behind the wallet issued a Twitter statement explaining that they had removed the server-side logging that could have led to the access to their Sentry server. They also concluded that this weakness could be traced to 1,444 of the 9,233 wallets affected. 

Ethereum Wallets Could Have Been Affected.

However, the exploit might not have been limited to Solana-based wallets. 

According to Adam Cochran, a partner at Cinneamhain Ventures, Trust Wallet users with Ethereum-based assets could have also been affected. But their numbers were significantly small, given that MetaMask is the preferred wallet for most Ethereum users. 

He, therefore, requested any Ethereum user who has possibly lost funds through the hack to contact him as soon as possible to aid in the investigations. 

Some Solana White-hat Hackers Fought Back.

It has also emerged that during the early moments of the Solana exploit, white-hat hackers comprising of developers and security auditors sat down to figure out what was happening and how they could stop it. 

They settled on deploying a script that would try and ‘write-lock the attacker’s accounts, slowing their transactions down.’ The script would put constant write-locks on the hacker’s accounts, thereby preventing their transactions from executing successfully in a manner similar to a distributed denial-of-service (DDoS) attack. 

The method slowed down the attacker, but it resulted in several Solana RPC servers crashing due to overwhelming requests. Although RPC servers crashing also frustrated regular Solana users, the downtime probably slowed down the attacker further and gave investigators additional time to figure out the problem.

NFT Leak Method Disclosed by OMNIA Used to Possibly Identified the Hacker. 

Besides slowing down the attacker, white-hat hackers have possibly identified the Solana attacker using an NFT leak method disclosed by the OMNIA team. 

Crypto community member @lordnarfz0g used this method to send an NFT to the hacker’s known blockchain addresses. The NFT then recorded the hacker’s metadata requests, thus revealing their IP address

A Final Postmortem of the Solana Hack is Yet to Be Released.

Also worth mentioning is that the above-shared information should not be considered an official postmortem report of what actually happened in the Solana ecosystem. Solana engineers and the Slope Finance team have yet to release official reports showing how the exploit occurred. 

The Slope wallet team has explained that they are ‘still actively diagnosing, and are committed to publishing a full post-mortem, earning back your trust, and making this as right as we can.’ 

Similarly, the Solana team said, ‘engineers from across several ecosystems, in conjunction with audit and security firms, continue to investigate the root cause of an incident that resulted in approximately 8,000 wallets being drained.’ 

Written by:

Get Started
Contact Us Today

Want learn about subscription plans or integrating our services into your project

Contact Us