thecryptobasic.com
Do we need more Scalability, Speed rather than Security as the Solana Ecosystem is under attack again?
In a tweet earlier today, Magic Eden confirmed that there is an exploit draining wallets on the Solana ecosystem. At the time of writing, data from Dune shows that over 7,700 addresses have been affected, as pundits estimate that at least $5 million in crypto assets have been lost.
🚨🚨🚨There seems to be a widespread SOL exploit at play that's draining wallets throughout the ecosystem
Here's what you can do right now to best protect yourself
1. Go to >Settings on your @phantom wallet
2. >Trusted Apps
3. >Revoke Permissions for any suspicious links💜
— Magic Ethen 🪄 (@MagicEden) August 3, 2022
While the vulnerability causing the exploit remains unknown, Binance’s Changpeng Zhao and other pundits have confirmed that the exploit does not seem to be affecting cold wallets or central exchanges. Users have been advised that disabling permissions granted to suspicious links in their wallets may not be enough and have been instead encouraged to move their assets to cold wallets or central exchanges.
There is an active security incident on Solana. Many (7000+ and counting) wallets are drained of SOL & USDC. Don't know root cause yet. Maybe permissions granted to apps. For remediation, send the funds to a cold wallet or CEX like @Binance. https://t.co/nQrBXAgCbf
— CZ 🔶 Binance (@cz_binance) August 3, 2022
The information available shows that the attackers have somehow managed to gain access to the seed phrases of users. At the time of writing, the most popular theory is one suggested by Ava Labs CEO Emin Gün Sirer. According to Sirer, the exploit is likely a supply chain attack, as he suggests a JavaScript library may have been compromised.
One possible route is a "supply chain attack" where a JS library is hacked, and it exfiltrates (steals) users' private keys. Affected wallets seem to have been created in the last ~9 months, but there are reports of freshly created wallets also being affected.
— Emin Gün Sirer🔺 (@el33th4xor) August 3, 2022
Meanwhile, Adam Cochran reports that most victims appear to be IOS users, with most of their wallet interactions on mobile. Phantom and Slope wallets’ users also appear to be the most affected.
1/3
Spoke with a user who was hacked on both Solana and Ethereum:
-Used iOS
-Wallets were TrustWallet and Slope
-ERC20's were stolen to: 0xc611952D81E4ECbd17c8f963123DeC5D7BCe1c27
-ETH side was TrustWallet
-Assets were taken at the same time— Adam Cochran (adamscochran.eth) (@adamscochran) August 3, 2022
While there have been reports of a similar issue on Ethereum, these are very few, and it only appears to be the case when seed phrases are shared with Slope.
On-chain sleuth CIA Officer reports that the amount of stolen SOL per minute appears to be slowing down from 1K SOL per minute to less than 1 SOL per minute. Notably, not only SOL has been drained from the affected wallets but also stablecoins like USDC and USDT and assets like Bitcoin and Ethereum.
amount of sol stolen per minute going down. startet at ~1kSOL/minute, now at <1 SOL/minute: https://t.co/D90uCXh1Hl
— CIA Officer (@officer_cia) August 3, 2022
Notably, a network validator has launched a DDOS attack on the network in an attempt to slow down the attacker.
according to solana validator discord, Jito is responsible for the network ddosing to slow down attacker and bringing down solana rpc in the process
— CIA Officer (@officer_cia) August 3, 2022
Solana Status reports that engineers are currently working together to get to the root cause of the exploit as the community awaits further updates.
Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.
— Solana Status (@SolanaStatus) August 3, 2022
Solana, in recent years, has grown to become one of the most popular altcoins, sometimes even dubbed an “Ethereum killer.” However, in recent months, the network has been plagued by several outages and slowdowns. Consequently, it has attracted mockery from the likes of Cardano chief Charles Hoskinson.