Solana Wallet Hack: Here’s What We Know So Far

Update, August 3, 4:50 p.m. ET: Solana developers say they have identified the root cause of the hack: compromised private keys "created, imported, or used in Slope mobile wallet applications." Read the full details here.

Solana users far and wide last night were startled to find that their wallets were being drained of SOL, the USDC stablecoin, and other Solana-based tokenstokens in a widespread and ongoing hack. As of this writing, an estimated $4.46 million worth of coins and tokens have been nabbed so far.

According to blockchain explorer Solscan, the four identified attackers’ wallets have collectively attacked about 15,200 wallets, although there may be overlap between their targets. The official Solana Status account on Twitter pegged the tally at approximately 8,000 unique wallets as of earlier this morning.

As the attack apparently continues, the network’s core team and founder have started sharing theories on what’s happening. Per Solana Status, “engineers from across several ecosystems, in conjunction with audit and security firms, continue to investigate the root cause” of the attack.

“This does not appear to be a bug with Solana core code,” it added, “but in software used by several software wallets popular among users of the network.”

That theory comports with evolving sentiment last night and overnight by Solana developers and security experts. Initially, some thought that the exploit had to do with lingering permissions that users’ may have previously granted to a smart contract, and many platforms—such as top NFT marketplace Magic Eden—urged Solana users to revoke any permissions.

Solana, USDC Drained From Wallets in Attack

An unknown attacker drained thousands of wallets containing at least $4 million worth of Solana and USDC late Tuesday night. The hack, which was still ongoing at 8:00 PM PST, seemed to originate on the Solana browser wallet Phantom and was believed to compromise user keys—possibly involving seedphrases that were re-used among wallets on different chains “Over 5,000 Solana wallets have been drained in the past few hours,” blockchain audit firm OtterSec reported earlier in the evening. “These tran...

However, that didn’t appear to help since transactions were being signed, thus suggesting a compromise of users’ private keys. Instead, as the Solana Status update suggests, the prevailing theory now is that code within software-based wallet apps is being exploited in some manner to enable access to holders’ assets.

Solana co-founder and Solana Labs CEO Anatoly Yakovenko tweeted overnight that it “seems like an iOS supply chain attack,” suggesting that the issue pertained to wallets used on Apple’s iPhone and iPad devices. However, based on additional evidence, he added in a subsequent tweet that Android users are being affected, as well.

“All the confirmed stories so far have had the key imported or generated on mobile,” he wrote, noting that the majority of confirmed wallets were from Slope, with some from Phantom. Hardware wallets do not appear to be affected at all. Notable crypto investor Adam Cochran wrote this morning that he is “90% [sure] this is related to using Slope or importing into Slope.”

Asked by a user what Solana developers can do about this issue going forward, Yakovenko replied, “Fucking Apple and Google can give us secure signing and recovery in the device. F’ing hell.”

Slope’s Twitter account hasn’t tweeted since last night, when it wrote that the team was “actively working to sort out the issue.” Similarly, Phantom last tweeted yesterday evening with a similar message, but added that it did “not believe this is a Phantom-specific issue” at the time.

Blockchain security firm OtterSec has asked affected users to fill out a form with details of their wallet and activity. Yakovenko and other notable Solana developers have shared the same form in the hopes of amassing more data on the exploit.

The Solana network was at times inaccessible or difficult to use last night due to partial outages with RPC nodes that facilitate network traffic. Allegedly, the slowdown was due to the efforts of a user who attempted to slow or stop the attack by overwhelming the Solana network with transactions in a DDOS-like frenzy.

Solana (SOL) initially saw a significant price drop in the wake of last night's initial attacks, with the price dropping about 8% in a two-hour span. However, it has rebounded somewhat to a current price of just over $40 per coin, or about a 2% dip over the last 24 hours.