【Dynamic Attention】A Mysterious Solana Security Incident

Organizer: Nianqing, Chain Catcher

In the early morning of August 3rd, Beijing time, Solana was reported to have experienced a large-scale security incident. As of the time of writing, over 9,000 wallets have been affected, and the identity of the hacker remains unknown, with the vulnerability still unclear. Wallets on Solana continue to be compromised. It can be said that this theft case on Solana is currently the largest security incident affecting the crypto industry. Despite the involvement of several well-known developers and engineers in the industry, the cause of the theft has yet to be investigated, making it quite perplexing. Chain Catcher once again reminds all users to pay attention to the security of their funds.

This article will be updated in reverse chronological order with the latest developments regarding Solana, so please stay tuned.

1. Real-time data links:

1. Number of stolen wallet addresses: 9224

2. Amount stolen: $5,927,974

3. Hacker wallet addresses:

https://solscan.io/account/Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV

https://solscan.io/account/CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu

https://solscan.io/account/GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy

https://solscan.io/account/5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3n

4. Summary of relevant data on Solana vulnerabilities from Solscan:

https://beta-analysis.solscan.io/public/dashboard/ffaf8155-1d6f-4ec7-96db-2e8e8bc5c160#theme=night

2. Latest developments

August 4

15:58

Solana wallet Slope stated on Twitter that, according to a vulnerability discovered by OtterSec, it has deleted server-side log records and indicated that approximately 15% of the 9223 affected wallets (1444) had their assets stolen. Users are reminded to change to new mnemonic phrases. (Source link)

15:05

Solana auditing firm OtterSec stated on Twitter that it has independently confirmed that Slope's mobile application sends mnemonics to its centralized Sentry server via TLS. These mnemonics are then stored in plaintext, meaning anyone with access to Sentry can access user private keys. There are about 1,400 exploit addresses in the Sentry logs. It is worth noting that this does not imply that all hacked addresses are included. We are still investigating this discrepancy and possible other vectors. (Source link)

10:14

SlowMist released an analysis of the Solana attack today, indicating that preliminary screening found that 30% of users were stolen due to a private key leak in Slope Wallet (Android, Version: 2.2.2). 60% of the stolen users were using Phantom wallets, and the reason for their theft remains undetermined. SlowMist stated that if you have any ideas, you are welcome to discuss them together, hoping to contribute to the Solana ecosystem. Here are the specific questions:

1. Is the behavior of Sentry's service collecting user wallet mnemonics a common security issue?

2. Since Phantom uses Sentry, will Phantom wallets be affected?

3. What is the reason for the hacking of the other 60% of stolen users?

4. As Sentry is a widely used service, could it be that the Sentry official encountered an intrusion? Leading to a targeted attack on the cryptocurrency ecosystem? (Source link)

4:05

Solana Status stated on Twitter that after an investigation by developers, ecosystem teams, and security auditors, the affected addresses seem to have been created, imported, or used in the Slope wallet application. Solana Status indicated that specific details are still under investigation, and it may be due to private key information being inadvertently transmitted to the application monitoring program. Slope confirmed that some Slope wallets were attacked in this incident, but the specific cause has not been determined. (Source link)

3:52

Solana ecosystem wallet Phantom tweeted, "The vulnerability in this Solana attack incident is believed to be caused by the complexity of importing and exporting accounts during interactions with Slope," and suggested Phantom users install a new wallet other than Slope and create new mnemonic phrases. (Source link)

August 3

16:24

Solana Labs co-founder @aeyakovenko tweeted that, according to analysis, this attack appears to have targeted the iOS supply chain, affecting several trusted wallets that only received SOL and had no other interactions, as they imported externally generated private keys into iOS. He also stated that all confirmed information is from iOS devices, "but it may also be due to its popularity." (Source link)

14:51

Solana Status is collecting information from attacked users to confirm the root cause. If your wallet has been stolen, you can fill out this link: https://solanafoundation.typeform.com/to/Rxm8STIT?typeform-source=t.co.

12:19

Software and blockchain company Laine tweeted that RPC nodes are currently restoring services, and validators are operating normally, stating that the previous suspension of RPC nodes was to slow down the attackers.

Laine previously tweeted, "Several RPC nodes on Solana seem to have stopped service requests, possibly due to overload or intentional actions. This will not affect the underlying chain in any way; the Solana blockchain is operating normally. Users' wallets or browsers may not load now, but the blockchain is running normally." (Source link)

11:57

Software and blockchain company Laine tweeted that several RPC nodes on Solana seem to have stopped service requests, possibly due to overload or intentional actions. This will not affect the underlying chain in any way; the Solana blockchain is operating normally. Users' wallets or browsers may not load now, but the blockchain is running normally. (Source link)

Meanwhile, many users reported that Solana blockchain explorers like Solscan and SolanaFM are not functioning properly.

10:39

Solana Status posted on social media that the vulnerability allows malicious actors to steal funds from multiple Solana wallets. As of 5 AM UTC (1 PM Beijing time), approximately 7767 wallets have been affected. The exploit affects multiple wallets, including Slope and Phantom, and both mobile and plugin wallets seem to be impacted.

The root cause of the exploit is still unclear, but engineers have collaborated with multiple security research and ecosystem teams. Currently, there is no evidence that hardware wallets are affected, and users are strongly advised to use hardware wallets and not to reuse mnemonics on hardware wallets. Create a new mnemonic, and wallets that have been stolen should be considered compromised and discarded. (Source link)

10:32

Avalanche Professor Emin Gün Sirer posted on his personal social media platform that, during the ongoing attack on the Solana ecosystem, over 7000 wallets have been affected and are increasing at a rate of 20 per minute. He stated that it is still early, and the attack is ongoing, so there is a lot of misinformation and speculation.

Since the transaction signatures are correct, it is likely that the attackers have gained access to the private keys. One possible avenue is a "supply chain attack," where a JS library is hacked and leaks (steals) users' private keys. The affected wallets seem to have been created in the past 9 months, but there are also reports that newly created wallets are also affected. However, stopping the Solana network would be ineffective, as the attack would resume when the network is restored. (Source link)

Around 9:00

Developer @0xfoobar tweeted that wallets inactive for over 6 months were hit the hardest, with both Phantom and Slope wallets experiencing fund theft. The cause of the exploit is unknown; it may be an upstream dependency supply chain attack. Revoking approvals may be futile; the solution is to transfer assets to wallets that have never exposed private keys to potentially vulnerable browser extensions, i.e., hardware wallets. (Source link)

8:50

Solana auditing firm OtterSec tweeted that over 5000 Solana wallets have had funds stolen in the past few hours. OtterSec's analysis shows that these transactions were signed by the actual owners, indicating a private key leak. The exploit may also affect ETH users. (Source link)

8:32

Phantom responded on its official Twitter: We are working closely with other teams to identify the reported vulnerabilities in the Solana ecosystem. Currently, the team does not believe this is a Phantom-specific issue. We will release updates once we gather more information. (Source link)

Around 8:00

Decaf developer @JuanRdBO and other developers found after inspecting the code that this security incident may be related to Phantom, the largest wallet in the Solana ecosystem, stating that this is not an issue about "trusted applications." If users have interacted with DeJBGdMFa1uynnnKiwrVioatTuHmNLpyFKnmB5kaFdzQ (which Phantom interacts with when creating wallets), their wallets would be compromised. (Source link)

Around 7:00

Magic Eden's official Twitter stated that there seems to be a widespread SOL vulnerability that can deplete the entire ecosystem's wallet assets. Magic Eden reminded users to take the following steps to protect their personal assets: Go to the Phantom wallet settings page; click on Trusted Apps; revoke permissions for any suspicious links. (Source link)