Twitter users are desperately trying to reveal the mechanics of attack on Solana wallets that resulted in millions of Solana and USDC worth at least $4 million stolen in a blink of an eye.
However, the mechanics of the attack is still unclear. The fact is that Solana private keys were massively compromised, and attackers stole both native tokens (SOL) and SPL tokens (USDC). Even accounts inactive for more than six months were found drained. The attack affected such widely used hot wallets, as Phantom, Slope, Trust Wallet.
This affects multiple wallets - Phantom, Slope, Solflare, TrustWallet - across a wide variety of platforms.
— OtterSec (@osec_io) August 3, 2022
FOR USERS, please move your assets to a hardware ledger or a centralized exchange.
According to blockchain auditors OtterSec, over 8,000 wallets have been compromised so far, and at least $5 million were stolen.
First of all, users suspected that it was Phantom wallet that contained some kind of vulnerability which allowed the attacker to sign transactions with users' private keys. However, not only Phantom wallets were compromised that means that the exploit was not exclusively on their side. The Phantom team said they did not believe that it was a Phantom-specific issue.
We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue.
— Phantom (@phantom) August 3, 2022
As soon as we gather more information, we will issue an update.
Users were urged to revoke all permissions for trusted apps.
Another theory is that the attack might be an upstream dependency supply chain. And this means that approval revoking will probably not help. CEO Binance Changpeng Zhao urged users to transfer SOL to an offline hardware wallet or trusted centralized exchange (CEX). Just turing off your PC or smartphone, disconnecting it from the Internet, is also considered to be an option.
Why doesn't revoking approvals help? Because these SOL and SPL transfers are signed by the users themselves, not transferred away by a third party using approvals. So while you can revoke, it's likely something has caused widespread private key compromisehttps://t.co/8k3Zn46bTe
— foobar (@0xfoobar) August 3, 2022
Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.
— Solana Status (@SolanaStatus) August 3, 2022
This thread will be updated as new information becomes available.
However, the problem can be larger than it seemed at the first sight. Several hours later after the attack was launched, software developer Stephen Lacy tweeted that he discovered "widespread malware attack" on GitHub affecting some 35,000 software repositories.
I am uncovering what seems to be a massive widespread malware attack on @github.
— Stephen Lacy (@stephenlacy) August 3, 2022
- Currently over 35k repositories are infected
- So far found in projects including: crypto, golang, python, js, bash, docker, k8s
- It is added to npm scripts, docker images and install docs pic.twitter.com/rq3CBDw3r9
In subsequent tweets, Lacy explained that these 35,000 repositories affected are not official ones, but forked copies, with these clones altered to include malware.
Solana exploit might occur due to weak cryptography in its original library. This suggestion was made by crypto engineer at Coinbase Patrick O'Grady. He supposed that the attack could be linked to a nonce reuse bug in some ed25519 signature library solana projects are using.
I wonder if there’s a nonce reuse bug in some ed25519 signature library solana projects are using.
— Patrick “The Faucet” O'Grady 🔺 (@_patrickogrady) August 3, 2022
I think this would allow any attacker looking at solana to derive the private key regardless of where it was generated.
Here’s an article that covers this: https://t.co/uZ63B9HWhd