The Solana ecosystem appears to be the recent victim of cryptocurrency’s latest exploit, with users reporting that funds from major internet-connected “hot” wallets such as Phantom, Slope, and TrustWallet were drained without their knowledge.
According to blockchain auditors OtterSec, the attack is still underway, with over 8,000 wallets compromised so far. Various Solana addresses have been associated with the attack (1, 2, 3, 4), with those wallets accumulating at least $5 million in SOL, SPL, and other Solana-based tokens from innocent users.
The precise cause of Tuesday’s attack remained unknown throughout the night, though it appears to have primarily impacted mobile wallet users. The attacker gained the ability to sign (i.e., initiate and approve) transactions on behalf of users, implying that a trusted third-party service was compromised in a supply chain attack.
According to a tweet by SolanaStatus, engineers from various networks discovered that the bug is not related to Solana core code, but rather to software used by several software wallets.
The attack will definitely revive a long-running debate regarding the security of hot wallets, which are always connected to the internet for providing users with a convenient way to send, store, and receive cryptocurrency. Cold wallets, which are USB drives that must be plugged into a computer to sign transactions, are being hailed as a more secure, if less convenient, alternative.
We are investigating the incident involving Solana wallets and are collaborating with other teams in the ecosystem to find out what happened. We will issue an update once we have more information, said a representative of Phantom, the largest Solana hot wallet, in a statement to CoinDesk. Right now, the team does not feel this is a Phantom-specific issue.
Some users suspected that the hack was linked to transactions on Magic Eden’s Solana-based non-fungible token (NFT) marketplace, but this link became less clear as the attack progressed. To avoid being attacked, the marketplace tweeted an alert to users to reverse wallet permissions for any suspicious links. Users were also advised to move everything to a cold wallet/ledger.
Twitter continues to be inundated with reports of Solana users discovering that tokens have mysteriously vanished from their accounts.
I was getting my sunglasses repaired when I received a push notification from my mobile wallet that I had sent all of the SOL from my wallet, Solana community member @gostak gm told CoinDesk. It was my primary hot wallet, so I had it linked to numerous mobile and web extension wallet providers, as well as numerous dapps. I’m not sure what the underlying cause was. I’m relieved that the majority of my funds are in a cold wallet.
At this time, it is unclear whether the vulnerability is limited to the Solana blockchain. A user of the TrustWallet and Slope wallets reported losing USDC on Solana and Ethereum.
According to DefiLlama, Solana is the fifth-largest blockchain by total value locked (TVL) and has grown in popularity over the last year due to its quick transactions and low fees. Its native token, SOL, fell 4% in the hours following the attack.
