7000+ Solana wallets hacked in network-wide attack

7000+ Solana wallets hacked in network-wide attack
Image Credits: BeInCrypto

$8 million in funds have been drained this Wednesday at 5 AM UTC in a widespread attack targeting 7,767 wallets on the Solana network, a number that is rising by around 20 new attacks per minute.

The attack affected “hot” wallets, being wallets that are always connected to the internet, issued from a number of Solana-based wallet providers, including Phantom, Slope, Solflare, and TrustWallet. Crypto analyst @0xfoobar noted that “the attacker is stealing both native tokens (SOL) and SPL tokens (USDC)… affecting wallets that have been inactive for less than 6 months.”

​​In response to the attack, Phantom, a fast-growing Solana-based wallet that hit $1.2 billion in valuation in January and one of the wallet providers that were compromised in the attack, said it’s “working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem.” The wallet developer continues: “At this time, the team does not believe this is a Phantom-specific issue.” 

Slope, another wallet provider compromised by the attack, added that it is “actively working to sort out the issue as rapidly as possible and rectify it the best we can”, while non-fungible token (NFT) marketplace Magic Eden called on users to revoke permissions for any suspicious links in their Phantom wallets.

Although the cause of the attack remains unclear, Emin Gün Sirer, founder of another popular blockchain called Avalanche, pointed out that the transactions were properly signed, which means the vulnerability could be a “supply chain attack” to steal users’ private keys. @0xfoobar added that “it’s likely something has caused widespread private key compromise”, and warned that revoking wallet approvals will probably not help. 

Moreover, popular scam detective @zachxbt also revealed that the hackers initially funded the primary wallet associated with this attack via Binance seven months ago. Based on the transaction history, the wallet had remained dormant until the day of the attack, when the hackers conducted transactions with four different wallets 10 minutes before the attack started.

This is not an isolated attack. The Solana attack comes hours after malicious actors abused a “chaotic” security exploit to steal almost $200 million in digital assets from cross-chain messaging protocol Nomad. The “free-for-all” attack, which saw more than 41 addresses drain $152 million — 80% of the stolen funds – was made possible by a recent update to one of Nomad’s smart contracts that made it easy for users to spoof transactions.

Another attack was carried out on the Ronin crypto bridge a day earlier, siphoning roughly $190 million in crypto assets.

The attack is still ongoing, with hundreds of Twitter users reporting on the hack on the Solana (SOL) trend, saying they have either lost funds themselves or urging others to move their funds to “cold” wallets, being hardware wallets that are not connected to the internet.

The Solana Status account is also issuing advice to its community on how to protect themselves against further attacks, urging users to “use hardware wallets”, “not reuse your seed phrase on a hardware wallet” but instead “create a new seed phrase”, and to treat affected wallets as “compromised, and abandoned.”

Story Update (Aug 3, 2022): On Wednesday afternoon, the official Solana Status Twitter account shared the preliminary findings of developers and security auditors, which revealed that “it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications.”

They continue: “This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure,” the thread continues. “While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service.”

The Phantom wallets that were drained of their SOL and tokens in the attack had previously interacted with a Slope wallet. The Phantom team tweeted: “Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from Slope.”

Solana also released a statement through Twitter to this effect.

Story Update (Aug 5, 2022): Shane Brunette, the CEO of Australia-based CryptoTaxCalculator confirmed that crypto lost via a hack or an exploit could be declared as a loss for tax purposes in certain jurisdictions. She added: “This means the original amount you paid for the asset(s) can be used to offset other capital gains.”

Crypto Tax Calculator released a Twitter thread explaining the process to the affected users.

Danny Talwar, head of tax at Koinly, reiterated Shane’s statement. He advised: “To claim a capital loss for hacked crypto, you’ll need to demonstrate evidence to the Australian Tax Office (ATO) that the crypto is lost and it was under your control,” suggesting the use of blockchain explorer tools like Etherscan and Solscan to provide legitimate evidence on the destination address of the hacker and the status of lost funds. In Australia, evidence would also need to include dates and the addresses of all the wallets.

Although this may not work in the U.S., it is a valid process in the U.K., Australia, and Canada.

If you see something out of place or would like to contribute to this story, check out our Ethics and Policy section.