Over the past few days, Solana users have suffered attacks by bad actors with several million dollars worth of crypto being stolen by unknown bad actors. At the moment, wallets are still being drained, albeit at a slower rate.
Solana’s security team has spent its time looking for the breach point, and it seems the likely culprit has been found.
In spite of the fact that the attack targeted Solana users, it appears that it is not Solana itself at fault – rather the blame reportedly lies with a third-party wallet provider, Slope.
Slope Hardware Wallets Involved
So far, Solana has confirmed that the issue seems to only affect Slope’s hot wallets, as no hardware wallets have been .
However, Solana devs heartily recommend that all Slope users generate a new seed phrase, regardless of the type of wallet they were using.
“Create a new and unique seed phrase wallet, and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope. If you are using a hardware wallet, your keys have not been compromised.
We are still actively diagnosing, and are committed to publishing a full post-mortem, earning back your trust, and making this as right as we can.”
Red Herrings – Pardon, Phantoms
While the investigation of the data breach was still underway, it was initially assumed that the issue was more widespread, since Phantom wallets were also being drained. Nevertheless, it quickly became apparent that the Phantom wallets getting exploited had, in fact, not been Phantom-forever users.
“If you’ve used Slope at all consider those wallets burned. Nothing yet to indicate Phantom itself has had an issue, though it’s interesting that there haven’t been reports of users on Solflare who used their seed on Slope as well, while there’ve been many with Phantom.”
In fact, the drained Phantom wallets had also used Slope, as confirmed by Austin Federa, the head of communications at Solana.
The last 24 hours saw developers, security firms, and individual contributors from across Solana, Ethereum, and cross-chain wallets come together to investigate what at first appeared to be a massive supply-chain hack, impacting Solana and Ethereum
— Austin Federa | sms (@Austin_Federa) August 3, 2022
This statement was later confirmed by Phantom devs, who also recommended that Phantom users who had created their wallets with Slope send their funds to a non-Slope wallet.
Seed Phrases Allegedly Stored Server-Side
As the investigation continues, reports are also coming in that the breach of the Solana network via Slope does not come from unsatisfactory coding on Slope’s side either – rather, the breach reportedly occurred due to Slope logging seed phrases on their servers.
Correction – the Slope wallet did not send seed phrases to external partners, but may have logged them on their own centralized servers. Apologies for getting a bit ahead of myself, postmortem still in progress. Wait for an announcement from the team for true confirmation.
— foobar (@0xfoobar) August 3, 2022
This cybersecurity malpractice appears to have led to about 9000 wallets being drained of multiple cryptocurrencies, with the largest amounts being in SOL and USDC.
The investigation is still ongoing, and post-mortems will be published by all parties involved once the exact attack methods have been ascertained.