Thousands of Solana wallets drained in multimillion-dollar exploit

Solana, an increasingly popular blockchain known for its speedy transactions, has become the target of the crypto sphere’s latest hack after users reported that funds have been drained from internet-connected “hot” wallets.

An unknown actor drained funds from approximately 8,000 wallets on the Solana network, Solana’s Status Twitter account said. It’s estimated the loss so far is around $8 million.

The attack — which has only affected only “hot” wallets or wallets that are always connected to the internet, allowing people to store and send tokens easily — does not appear to be limited to Solana. Justin Barlow, an investor at Solana Ventures, reported that his USDC balance was drained as well. Crypto analyst @0xfoobar confirmed that “the attacker is stealing both native tokens (SOL) and SPL tokens (USDC)… affecting wallets that have been inactive for less than 6 months.”

The attack has compromised other wallets including Phantom, Slope and TrustWallet. Initial reports suggested Solflare users were also impacted, but the company tells TechCrunch it has not been affected by this exploit. Wallets drained should be treated as compromised and abandoned, Solana warned as it encouraged users to switch to hardware or “cold” wallets.

Phantom, a fast-growing Solana-based wallet that hit $1.2 billion in valuation in January, said hours after the hack that it “does not believe this is a Phantom-specific issue.”

The wallet developer later said it “has reason to believe that the reported exploits are due to complications related to importing accounts to and from Slope Finance. We are still actively working to identify whether there may have been other vulnerabilities that contributed to this incident.”

Slope added that it is “actively working to sort out the issue as rapidly as possible and rectify best we can”, while non-fungible token (NFT) marketplace Magic Eden called on users to revoke permissions for any suspicious links in their Phantom wallets.

The cause of the attack remains unclear, but industry leaders including Emin Gün Sirer, founder of another popular blockchain Avalanche, pointed out that the transactions were properly signed, which means the vulnerability could be a “supply chain attack” that manages to steal users’ private keys. @0xfoobar added that “it’s likely something has caused widespread private key compromise”, and warned that revoking wallet approvals will probably not help.

Solana spokesperson Chris Kraeuter declined to answer our questions but referred us to Solana’s Status Twitter account, which states that the issue does not appear to be a bug in Solana’s software “but in software used by several software wallets popular among users of the network.” The company added that its engineers “are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.”

The Solana attack comes just hours after malicious actors abused a “chaotic” security exploit to steal almost $200 million in digital assets from cross-chain messaging protocol Nomad. The “free-for-all” attack, which saw more than 41 addresses drain $152 million — 80% of the stolen funds — was made possible by a recent update to one of Nomad’s smart contracts that made it easy for users to spoof transactions.

Updated with comments from Solana and Phantom