Solana Hack Shows the Weakness of Solidity

A day after the $190 million Nomad bridge hack, hackers targeted the Solana ecosystem, draining finds from several thousand connected hot wallets — those always connected to the internet.

We have real-time coverage from overnight.

The story is still developing and details are scarce, but blockchain security firm SlowMist’s crypto tracker said that more than 8,000 wallets were drained for what security firm PeckShield estimates to be about $8 million.

Other wallets including Phantom, Slope, Solflare, and TrustWallet were likewise compromised.

On Twitter, Solana’s co-founder Anatoly Yakovenko speculated that the hack was a a supply chain attack targeting iOS applications.

“Supply chain attacks happen when a hacker enters and modifies software by injecting their malicious code in a system. The code inserts can be employed to deliver a malicious payload or backdoor malware. In Solana’s case, it’s possible that a hacker attacked its iOS wallet libraries to extract private keys, based on the team’s analysis.

“Yakovenko came to his conclusion based (on) the fact that exploited wallets didn’t have prior interactions with dApps and had remained inactive for some time. This indicates that hackers may have extracted private keys from Solana’s hot wallets not with the usual phishing attacks carried out with malicious links.

“Gaining access to private keys means the hackers had the ability to transfer out funds from hot wallets, including Phantom and Slope wallet services.”

Solana gained market share by being fast and cheaper. But speed without correctness means you get hacked so fast you can’t respond.

Smart contracts and wallets should have stronger proofs that they don’t leak keys, which is part of the value of Symmetry, which we’re developing for Silvermint. Formal verification tools built into our code will prevent these kinds of events.