What we learned about Solana’s hack (and how not to get into such a mess)

It’s time to tell you what really happened to Solana and what the final results of the investigation are on the cause of the hack. I will also give you some handy tips to prevent you from getting into this unpleasant situation.

Intro

We’re going through some dull days. Some days, we write that Solana is not working, and on others, we come out with headlines that it is up and running again. Nothing seemed to predict disruption to our stable routine. But on Monday, something terrifying happened — Solana got hacked (by someone sneakily catching the moment when the blockchain was working).

The market is just as freaked out as we are; no one expected such a turn of events.

But it’s not all that simple. You know Solana is the god of mess, so even with the hacking, things here are incredibly confusing, ambiguous and controversial. Some say Solana was finally hacked at the blockchain level, and the network is dead, and some say it wasn’t — it was broken just a little bit, but otherwise, it’s okay.

We did our own investigation, and it wasn’t easy. 

Key takeaways

You can read the first news about the incident in our review; below in this article, I used the following sources: an official thread from Solana, a thread from security researcher Adam Cochran, and a thread from another blockchain security researcher calling himself “CIA Officer.”

Here are the main insights and conclusions from the events (you can find even more details at the source links above):

• In total, about 9,000 users were affected by the attack.
• Hackers used four addresses for the attack, each of which was funded from one wallet; the funds to the main wallet came from Binance 10 minutes before the attack began.
• Solana developers claim that there are no errors in the main blockchain code. A single third-party application was the cause of all these users’ hacking.
• The auditors stated that the hacking problem was related to the rather popular Slope wallet.
• The hackers most likely compromised all of the Slope users’ seed phrases that were ever entered there. Even those who used the phrase through Trust Wallet or Phantom, but had previously entered/tested into Slope, got hit.

The official Solana Foundation conclusion sums it up this way:

After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications.

This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure. While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service.

There is no evidence the Solana protocol or its cryptography was compromised.

The extent of the loss

Let’s hope this is the final result of the investigation. If this is true, then the panic about Solana being hacked is greatly overestimated, and only individual users of the third-party app were affected. Nevertheless, of course, no one will return the stolen money.

Tough day for everyone on Solana today, but here’s a breakdown of what we know:

1/ At approximately 22:37 UTC yesterday a hacker began a widespread exploit, the extent of which has so far affected $4M+ of assets from 9.2k+ unique wallets. pic.twitter.com/NK0iy9d7MY

— Tristan ζ (in Seoul 🇰🇷) (@Tristan0x) August 3, 2022

According to preliminary estimates of Solscan tracker experts, the attackers gained access to almost 9000 crypto-users and stole USDC, SOL coins and several other altcoins worth just over $5 million.

A few important tips

What conclusions can be drawn from this story? What advice can be given to avoid getting into the same situation in the future? 

Obviously, in most cases, the problem is not focused on the blockchain and cryptography side but on the client side, where the human factor is involved. This is the bottleneck where all your attention and diligence should be directed.

Anatoly Yakovenko, the co-founder of Solana Foundation, gave two essential tips on how to avoid losing digital assets in similar incidents:

• He recommended that all clients of the Slope service immediately generate a new SID on any other platform.
• Yakovenko urged potential hacker victims to use two crypto wallets, cold and hot. The case showed that cold wallets connected to the vulnerable Slope were not affected.

Let’s also add a third important piece of advice given by a member of the Solana community.

You should only use verified, assembled from open source wallets/applications (as much as possible). In particular, he gives a dangerous illustrative example where the private key is hardcoded into the code of the wallet itself, which was most likely the reason for the massive hack in the Slope case:

Just seeing @solana private key, mnemonics and address all typed out in text makes me quiver. Web3.0 users think twice about granting all access to apps without open source on @github.

— Eth_Analysis (@EthAnalysis) August 3, 2022