What we know about the Solana attacks
Nearly 8,000 Solana wallets have been drained by attackers. Here’s what we know about the attacks.
- Private keys were stolen and used to sign transactions that drained victims’ wallets. Here’s the list of wallets and the hackers’ accounts:
https://dune.com/queries/1131425
Phantom, Slope, Solflare, TrustWallet wallets were affected across multiple platforms, as well as a few wallets on other chains, including Ethereum.
2. The theft probably occurred through a “supply-chain attack” on a cross-chain app, since the only ETH wallets drained were linked to Solana ones. Supply-chain attacks work by corrupting application dependencies rather than the main repository. There’s no concrete evidence yet for this, but there is indirect evidence in that no hardware wallets were affected.
https://twitter.com/adamscochran/status/1554674564545789953
https://twitter.com/adamscochran/status/1554644902717169664
https://twitter.com/SolanaStatus/status/1554658171934937090
https://twitter.com/SolanaStatus/status/1554696134857310208
3. There was also some speculation that perhaps some software was using a crypto library wrong in a way that would reveal the private key, which is easy to do: there are at least 50 libraries that allow clients to do the wrong thing, including ed25519-dalek, which Solana relies on. There’s no concrete evidence for this, though, and the fact that the attack was not more widespread means it’s probably not the exploit in this case.
4. Several Solana RPC nodes went down. Some reported a DDOS attack by white hat hackers attempting to slow down the network to prevent the attackers’ transactions from going through:
https://twitter.com/WatcherGuru/status/1554683085819609088
However, this was never confirmed by Solana. Instead, @kiyomiwallet stays they were told it was a software bug:
https://twitter.com/kiyomiwallet/status/1554704054328213506
Update: As of August 3, it no longer appears that the attack was a supply-chain attack. Zellic.io, a blockchain auditing group, discovered that a week ago, Slope began logging seed phrases to its Sentry logs. Someone with access to the logs would have all the information they needed to drain the accounts.
We’ll update this post as we get more information.
