We’re starting to get answers about the large-scale Solana wallet hack that saw nearly $4.5 million worth of crypto being swiped from several thousand total users. But on Tuesday night, there was another interesting situation in the mix—one that saw some users try to fight back against attackers through brute force.
During the initial hours of the hack—which is now being blamed on an exploit tied to the Slope mobile walletwallet—developers and security auditors congregated to try and figure out what was happening and how they might mitigate it. One unidentified developer apparently suggested a solution that could impede the attackers.
According to SolBlaze, the pseudonymous founder of a Solana staking pool of the same name, the developer proposed using a previously-created script that “would try and write-lock the attacker's accounts, slowing their transactions down.”
Thousands of Solana users collectively lost about $4.5 million worth of SOL and other tokens from Tuesday night into early Wednesday, and now there’s a likely explanation for why: it’s being blamed on a private key exploit tied to mobile software wallet Slope.
On Wednesday afternoon, the official Solana Status Twitter account shared preliminary findings through collaboration between developers and security auditors, and said that “it appears affected addresses were at one point created, imported...
Essentially, any transaction that makes a change to an account on the Solana blockchain—such as a balance change—will put a brief write-lock on that account, explained Michael Hubbard, founder and managing director of Solana validator operator, Laine.
“The dev thought they could trigger constant write locks on the hacker’s accounts,” said Hubbard, “thereby preventing the hacker's transactions from executing successfully.”
Explorer rpcs hit an odd bug. A grey hat hacker tried to dos the hackers wallets and sent a flood of malformed txs. When users clicked into them on the explorer there was an explorer specific parser bug and that rpc would crash.
An unknown number of white hat (or perhaps gray hat) hackers used the developer’s script to spam what Solana co-founder Anatoly Yakovenko has described as “malformed” transactions to the hackers’ accounts. It was similar to a distributed denial-of-service or DDoS attack.
SolBlaze believes that at least five to 10 users were involved in the spamming campaign, but the script was shared to a few hundred people—so it could have been more.
The technique may well have helped, at least in one way. SolBlaze said that only 300 wallets were affected by the draining exploit during the hour that the spam bots ran, as opposed to about 2,000 per hour beforehand. “We do have significant evidence that this spamming did slow down the hacker,” they said.
However, it caused a big problem too: RPC servers, which facilitate network traffic, started crashing as a result. Hubbard said this wasn’t an intentional move. Instead, the process unearthed a bug related to how RPC servers handle requests, which caused some servers to crash. Yakovenko tweeted that he created a patch to resolve the problem.
PLEASE DO NOT DDOS RPC SERVERS! IT ONLY MAKES IT HARDER FOR SOLANA AND DEVS TO DIAGNOSE THE ISSUE.
— SolBlaze.org | Stake with us! (@solblaze_org) August 3, 2022
With some RPC servers down, it became difficult for users to access the Solana network, and blockchainblockchain explorer tools struggled as well. That might have slowed down the attackers, but it impacted a lot of other people as well—including users who sought to transfer funds, and developers and security specialists trying to diagnose the attack.
“It was making it difficult to use explorers to track the attacker’s transactions, and also making it tough for people to move their funds from their wallet over to a more secure location,” SolBlaze told Decrypt. They said that representatives from Solana Labs and RPC providers asked people in their “war room” to stop spamming transactions at the attacker’s wallets.
The Solana Status page notes that the Solana blockchain itself remained online during the situation, but that some RPC nodes and explorer functionality were hindered. Even so, there were many mocking tweets about the stability of the Solana network, harkening back to past occasions when Solana actually did falter and crash.
lmao you can't make this up - some madlad started DOSing the hacker which caused the RPC nodes to start failing
“The FUD on Twitter was a bit overblown about the chain halting,” former Coinbase engineer and Helius co-founder Mert told Decrypt. “FUD” is an acronym for “fear, uncertainty, and doubt,” and is typically used to describe antagonistic criticism, or deliberate misinformation, from rivals in the crypto space.
Ultimately, the RPC servers were patched and came back online, and access issues around the Solana network ceased. Developers and security experts continued working to figure out the cause of the issues, and this afternoon, the Solana Foundation blamed an exploit tied to the mobile software wallet, Slope.
The DDoS-like transaction spamming caused some temporary collateral damage, despite the apparently constructive aims, but SolBlaze suggests that it was a beneficial campaign overall.
“We do believe that there was a net positive impact, though,” they said, “as the attacker was significantly hindered.”
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
North Korean hackers are luring crypto professionals into elaborate fake job interviews designed to steal their data and deploy sophisticated malware on their devices.
A new Python-based remote access trojan called "PylangGhost," links malware to a North Korean-affiliated hacking collective called "Famous Chollima," also known as "Wagemole,” threat intelligence research firm Cisco Talos reported on Wednesday.
"Based on the advertised positions, it is clear that the Famous Chollima is broadly tar...
A previously unreported data breach has exposed more than 16 billion login credentials, making it one of the largest compilations of stolen personal data ever discovered.
First reported by Cybernews, the trove of data includes credentials for widely used services, including Facebook, Google, Telegram, and GitHub, as well as access to corporate, developer, and government websites.
Researchers from Cybernews said the information likely comes from a mix of infostealer malware logs, credential stuff...
Quantum computers weren’t expected to pose a threat to Bitcoin’s security anytime soon. But IBM has launched a project that could expedite the timeline: the world’s first fault-tolerant quantum computer, set to debut by 2029.
Despite their ability to calculate in multiple directions simultaneously, current-generation quantum computers have high error rates. Without fault tolerance, and the ability to detect and correct errors as they happen, quantum computers can’t run complex algorithms that wo...
