Thousands of Solana wallets drained in attack using unknown exploit

An overnight attack on the Solana blockchain platform drained thousands of software wallets of cryptocurrency worth millions of U.S. dollars.

The platform has started an investigation and is currently trying to determine how the malicious actors managed to drain the funds.

In a statement today, Solana said that at 5 AM UTC the attack impacted more than 7,700 wallets, including Slope and Phantom. According to public reports, Solflare and Trust Wallet users have also been affected.

solana update

A more recent count (about an hour ago) from blockchain analysis provider Elliptic puts the number of impacted wallets closer to 7,936 and the losses to $5.2 million in cryptoassets (SOL, NFTs, more than 300 Solana-based tokens).

Solana says that wallets impacted in this attack should be considered compromised and should be abandoned for the hardware variant – cold wallets, which appear to remain unaffected. The advice for this move is to not reuse the seed phrase and create a new one for the hardware wallet.

For those without a cold wallet, transferring all assets to a trustworthy centralized exchange would be a good alternative to secure the assets from the attackers.

Signed transactions

While there is no definitive answer at the moment about how the wallets were drained, multiple voices leaning towards a vulnerability in the wallet software.

“The root cause is still not clear, but it appears to be due to a flaw in certain wallet software – rather than in the Solana blockchain itself” – Elliptic

One clue that emerged from the attack is that the money-siphoning transactions are signed by the rightful owners, which points to a private key compromise.

Signed transactions

This is why revoking third-party approvals will probably not help stop the attack in this case, but it’s still a recommended action.

According to various blockchain security experts, the method used to gain access to such a large number of private keys could be a supply chain attack, a browser zero-day flaw, or a faulty random number generator used in the key generation process.

Another explanation could be a nonce reuse bug, which would enable the threat actors to recover people’s secret keys, as long as a signature and the nonce have been publicly exposed.

nonce reuse tweet

This is all speculation for now and users should follow the currently recommended mitigation steps.

As such incidents are likely to happen again, it’s good practice not to keep the entire cryptocurrency funds in a hot wallet and only use it for storing smaller amounts used in transactions. The better part of the assets should be placed into a cold wallet, which is disconnected from the internet and third-party services.

Source: www.bleepingcomputer.com