Solana Wallet Exploit
Originally posted here.
There have been many hacks taking place in the Web3 crypto space lately, and today we have been hit with news of yet another. This time round, Solana users are being affected by one such exploit, with assets worth millions of dollars already having been stolen. Among the affected are users of the Solana based […]
There have been many hacks taking place in the Web3 crypto space lately, and today we have been hit with news of yet another. This time round, Solana users are being affected by one such exploit, with assets worth millions of dollars already having been stolen. Among the affected are users of the Solana based Phantom and Slope wallets. The targeted hot wallets have had native SOL and SPL tokens drained from them.
Even though it is still early and the exact method of the hack is yet to be discovered, Emin Gün Sirer , CEO at Ava Labs (Avalanche) took to Twitter to offer some insight into the situation. Emin explained, amongst other things, that the the exploit may be a “supply chain attack” where a JS library is hacked and exfiltrates users’ private keys. He mentions that the affected wallets for the most part seem to have been generated in the last nine months.
More details below in Emin’s thread.
There’s an ongoing attack targeting the Solana ecosystem right now. 7000+ wallets affected, and rising at 20/min. Because it’s very early and the attack is ongoing, there’s a lot of misinformation and speculation. So here are a few thoughts and clarifications.
— Emin Gün Sirer (@el33th4xor) August 3, 2022
The Phantom wallet team were quick to issue a statement on the matter, mentioning that the exploit was not Phantom-specific, and that the team was working closely with another team in the Solana ecosystem to resolve the issue.
We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue.
As soon as we gather more information, we will issue an update.
— Phantom (@phantom) August 3, 2022
This exploit comes at a seemingly bad time for Solana, as recently the Solana Foundation opened Solana Spaces NYC, the world’s first retail & educational space dedicated to Web3.
Solana Spaces has been created as an area to introduce people to the wider blockchain and Web3 industry, and specifically, you guessed it, the Solana ecosystem. During their visit to Solana Spaces, one of the major activities that visitors could partake in was setting up a new Phantom wallet.
Making the connection, users of the freshly created wallets might have also been affected.
Let’s take a further look.
Overall Solana spaces is meant to be an immersive Web3 learning space, where visitors can explore and learn about the Solana ecosystem, as well as blockchains in general. There are many things to do in Solana Spaces and visitors are rewarded for partaking in some of the activities with NFTs and also USDC.
As mentioned above, visitors can get set up with a Phantom crypto wallet in the Phantom Seed Phrase Booth, get hands on with the Solana Saga mobile, and browse a wide range of new Solana-themed, and crypto lifestyle merch. If using Solana Pay for your purchase, you get up to 50% off. Solana Spaces also features an NFT gallery, and each season they’ll be featuring a new NFT collection. The first NFT collection to be featured is DegenApeAcademy.
Solana Spaces is committed to bringing Solana to the masses, and will be rotating the in-store experience every month to help keep things interesting. Furthermore, according to the thread below, there is a lot more to come.
Solana Spaces NYC is now open: https://t.co/jZcZ99l5Cj
We’re the world’s first retail & educational space dedicated to Web3.
Brought to you in collaboration with @solanafndn , and partners @phantom , @stepnofficial , @orca_so , @magiceden , @metaplex , @degenapeacademy and more. pic.twitter.com/VoKnrIMmWP
— Solana Spaces (@solanaspaces) July 28, 2022
Advice from the community
We can only hope that the issue is resolved swiftly, and that individuals users have not been too badly affected. During the time of this hack many have taken to Twitter to offer information on the situation.
One such user is foobar , who explains in their detailed thread that “Revoking [dApp] approvals will probably not help – only transferring to an offline hardware wallet […] because these SOL and SPL transfers are signed by the users themselves, not transferred away by a third party using approvals. So while you can revoke, it’s likely something has caused widespread private key compromise.
Widespread Solana private key compromise
– attacker is stealing both native tokens (SOL) and SPL tokens (USDC)
– affecting wallets that have been inactive for >6 months
– both Phantom & Slope wallets reportedly drained pic.twitter.com/AkZXOGLD0Q
— foobar (@0xfoobar) August 3, 2022
Telegram / Discord / Twitter