Solana-based wallets have come under a widespread exploit after several users complained that their funds were being drained without their consent. While the exact number of affected wallets is unknown at the time of this post, independent investigators put the amount to be over 7000.
As per reports, the attack mainly targeted internet-connected “hot” wallets including Phantom, Slope, and Trust Wallet. Initial sources put the stolen funds to at least $5 million worth of SOL and other tokens.
According to crypto analyst and author @0xfoobar, the attacker is stealing both native tokens [SOL] and SPL tokens [USDC] and those particular wallets that have been inactive for more than 6 months.
Computer scientist and CEO of Ava Labs Emin Gün Sirer tweeted that the hacker has likely gained illegal access to private keys as the transactions were signed properly.
One expert flagged the attack as a possible nonce reuse bug in some signature library Solana projects. ” …this would allow any attacker looking at Solana to derive the private key regardless of where it was generated”, he added.
Nonce which stands for “number used once” implies that one is not supposed to reuse this number for different messages. Since the nonce used is always the same, a malicious actor can impersonate a trusted party by intercepting and recovering the authentication key.
Solana Price Drop By 10% In Response To The Attack
“We are evaluating the incident impacting Solana wallets and are working closely with other teams in the ecosystem to get to the bottom of this. We will issue an update once we gather more information,” a representative of Phantom said. “The team doesn’t believe this is a Phantom-specific issue at this time.”
The incident has caused SOL’s price to fall back by 10% within a few hours of the reports according to CoinMarketCap.
That said, DeFi protocol code auditor Foobar advised that the solution is to transfer assets into a hardware wallet that has never exposed a private key to potentially vulnerable browser extensions.
“Several have pointed out that transferring assets to a reliable CEX is another holdover strategy if you don’t have a hardware wallet. This is most approachable for less experienced users.”
