Solana Wallet Hack: Here’s What We Know So Far

Profile picture
Decrypt
8w ago2022-08-03

In brief

  • Thousands of Solana software wallets have had tokens drained since last night in a widespread attack totalling nearly $4.5 million thus far.
  • The exploit is believed to be due to software in certain wallets, including Slope and Phantom. Hardware wallets are not affected.

Solana users far and wide last night were startled to find that their wallets were being drained of SOL, the USDC stablecoin, and other Solana-based tokens in a widespread and ongoing hack. As of this writing, an estimated $4.46 million worth of coins and tokens have been nabbed so far.

According to blockchain explorer Solscan, the four identified attackers’ wallets have collectively attacked about 15,200 wallets, although there may be overlap between their targets. The official Solana Status account on Twitter pegged the tally at approximately 8,000 unique wallets as of earlier this morning.

As the attack apparently continues, the network’s core team and founder have started sharing theories on what’s happening. Per Solana Status, “engineers from across several ecosystems, in conjunction with audit and security firms, continue to investigate the root cause” of the attack.

“This does not appear to be a bug with Solana core code,” it added, “but in software used by several software wallets popular among users of the network.”

That theory comports with evolving sentiment last night and overnight by Solana developers and security experts. Initially, some thought that the exploit had to do with lingering permissions that users’ may have previously granted to a smart contract, and many platforms—such as top NFT marketplace Magic Eden—urged Solana users to revoke any permissions.

However, that didn’t appear to help since transactions were being signed, thus suggesting a compromise of users’ private keys. Instead, as the Solana Status update suggests, the prevailing theory now is that code within software-based wallet apps is being exploited in some manner to enable access to holders’ assets.

Solana co-founder and Solana Labs CEO Anatoly Yakovenko tweeted overnight that it “seems like an iOS supply chain attack,” suggesting that the issue pertained to wallets used on Apple’s iPhone and iPad devices. However, based on additional evidence, he added in a subsequent tweet that Android users are being affected, as well.