Massive Solana Wallet Theft Points to Supply Chain Software

"There appears to be a widespread vulnerability that can drain wallet assets across the entire Solana ecosystem." On the morning of August 3, this tweet from Magic Eden, the NFT market in the Solana ecosystem, spread throughout the blockchain industry.

Then, a large-scale theft of user assets took place under people’s noses. According to the tracking of multiple security companies, the number of stolen Solana wallets continued to grow from 5,000. As of 1 p.m., approximately 7,767 wallet assets were stolen, and various crypto assets and NFTs were transferred away.

The scary thing is that although the industry is aware of the vulnerability, as of press time, the source of the vulnerability has not been found. In the meantime, hackers are still emptying users' wallets.

According to the tracking of the SlowMist security team, about $580 million in crypto assets flowed to four attacker addresses. Since this attack was not an attack on a single protocol, it was more like hackers cracking the private keys of a large number of users. SlowMist speculates that the problem may lie in the software supply chain.

"Supply chain attack" is a new type of attack method. Attackers often intervene in the upstream or midstream, spreading their malicious activities and their aftereffects downstream to more users. Therefore, compared with isolated security vulnerabilities, once a supply chain attack is successful, the loss scale is larger and the impact is more far-reaching. Some security experts speculate that it may be a vulnerability in a wallet used by the user, resulting in the exposure of the private key.

Currently, Solana's official team Solana Status has released a form to collect relevant information from the stolen users in order to analyze the vulnerability. Security experts suggest that in order to avoid asset losses caused by similar incidents, users are advised to use hardware wallets and create a new mnemonic phrase. Wallets that have problems or are at risk of private key leakage should be considered damaged and discarded.

Unknown vulnerability caused nearly 8,000 Solana wallets to be stolen

On August 3, a massive hacker attack swept the Solana public chain. According to a warning issued by Magic Eden, the Solana ecosystem NFT market, in the morning, there seems to be a widespread vulnerability that can drain wallet assets from the entire Solana ecosystem.

Soon after, blockchain audit security team OtterSec disclosed that in the past few hours, more than 5,000 Solana wallet funds have been stolen. OtterSec analysis showed that these transactions were signed by the actual owner, indicating that there was a private key leak. The vulnerability may also affect ETH users.

The massive theft of Solana’s on-chain wallets quickly caused panic among users. The losses caused by this attack have not stopped yet, and users continue to be affected as the incident progresses.

At around 10:30 a.m. that day, Emin Gün Sirer, founder of the Alavanche public chain, monitored that the attack on the Solana ecosystem was continuing, and the number of stolen wallets had increased to more than 7,000, "and was growing at a rate of 20 per minute."

Emin Gün Sirer monitors the number of stolen wallets continues to increase

Emin Gün Sirer also noticed the details of the transaction signature and believed that the attacker may have gained access to the private key.

If a large-scale private key leak occurs, it means that the funds in the user's wallet may be withdrawn by hackers at any time. In panic, many users log in to their wallets to transfer funds to avoid asset losses.

This large-scale hacker attack has aroused the vigilance of many Solana ecosystem projects.

The Move to Earn app STEPN issued a statement reminding users that if they have previously imported or exported non-custodial wallets from outside to STEPN, they need to check whether those wallets have any assets missing. Users should transfer assets from the wallet in a timely manner or generate a new non-custodial wallet from the STEPN application.

Magic Eden also issued another reminder that users are advised to create a new wallet with a new mnemonic and transfer all NFTs and liquid crypto assets to the new wallet. It is safer to put all assets in a cold wallet.

Since the characteristics of this theft incident point to private key leakage, the wallet application providers of the Solana ecosystem have attracted much attention. According to feedback from many users whose wallets were stolen, they mostly used Slope and Phantom wallets to generate accounts. Some people initially suspected that there might be a loophole in the wallet service provider, which caused the user's private key to be exposed.

The Phantom wallet does not think this is a problem unique to it. The official announcement of the wallet stated that it is temporarily unable to identify the vulnerability in the Solana ecosystem. "We are working closely with other teams and will release an update once we collect more information."

As of 1:00 pm on August 3, the source of the theft has not been found, and users continue to report asset thefts. According to the attack update released by Solana Status, the official development team of Solana, approximately 7,767 wallets were affected, and "engineers are currently working with multiple security researchers and ecosystem teams to determine the root cause of the vulnerability exploit."

Industry analysts suspect this attack is a "supply chain attack"

This large-scale attack is the first in the history of blockchain development. In the past, most hacker attacks were focused on a single exchange, application protocol or cross-chain bridge, such as taking advantage of a loophole in a certain on-chain protocol to "take away all the user funds in the protocol". This time, the hacker cracked a large number of user private keys through unknown means and transferred user assets one by one.

According to the tracking of the incident by the SlowMist security team, about $580 million in crypto assets flowed to four attacker addresses. "Many victims reported that they had used a variety of different wallets, mainly mobile wallets. We speculate that the problem may lie in the software supply chain."

Emin Gün Sirer also believes that one possible avenue is a supply chain attack, in which the JS library is hacked and the user's private keys are stolen.

"JS library" generally refers to encapsulated JavaScript functions, which can be called directly in the program. According to feedback from some stolen users, the stolen wallets seem to have been created within the past 9 months, but there are also reports that newly created wallets are also affected, so it is not possible to determine which supply chain software has a vulnerability.

Some users suggested that they could use transaction rollback to recover their assets, but some security experts said that this method was not applicable to this incident, "because it is impossible to tell which transactions were signed by the users themselves."

It is worth noting that although the attack affected a large number of users, and the Solana network also experienced freezes and some applications were interrupted, the operation of the underlying chain was not affected. Solana validator Laine posted that multiple Solana RPC nodes seemed to have stopped serving requests, which may have been caused by overload or intentional, but the Solana blockchain was in normal operation.

The above information points to the source of this security incident as a "supply chain attack". This is a new type of attack method, especially in the field of Web3, which focuses on the mutual coupling of smart contracts. Attackers often intervene in the upstream or midstream, spreading their malicious activities and their aftereffects downstream to more users. Therefore, compared with isolated security vulnerabilities, successful supply chain attacks bring larger losses and more far-reaching impacts.

On the afternoon of August 3, Solana Status has released a form to collect relevant information from stolen users in order to analyze the vulnerability.

Solana Status collects user information and analyzes the reasons for the theft

According to the latest news, Solana Labs co-founder Aeyakovenko revealed that the attack seems to be an attack on the iOS supply chain, in which several trusted wallets that only received SOL and had no other interactions were affected. They had imported externally generated private keys into iOS. However, his speculation cannot be confirmed, "It's just that all the confirmed information is iOS devices, but it may also be because of its popularity."

More details and reasons about the massive theft of Solana are yet to be further analyzed and disclosed by the security team. It is worth noting that the "supply chain attack" method seems to have begun to penetrate the blockchain field. When users use on-chain applications, they may leak private keys due to vulnerabilities in basic Web2 programs such as encrypted wallets and input methods. Security experts suggest that in order to avoid asset losses caused by similar incidents, users are advised to use hardware wallets and create a new mnemonic. Wallets that have problems or are at risk of private key leakage should be considered damaged and discarded.