How Solana Vigilantes Battled Back Against the Wallet Hacker
We’re starting to get answers about the large-scale Solana wallet hack that saw nearly $4.5 million worth of crypto being swiped from several thousand total users. But on Tuesday night, there was another interesting situation in the mix—one that saw some users try to fight back against attackers through brute force.
During the initial hours of the hack—which is now being blamed on an exploit tied to the Slope mobile wallet—developers and security auditors congregated to try and figure out what was happening and how they might mitigate it. One unidentified developer apparently suggested a solution that could impede the attackers.
According to SolBlaze, the pseudonymous founder of a Solana staking pool of the same name, the developer proposed using a previously-created script that “would try and write-lock the attacker's accounts, slowing their transactions down.”
Essentially, any transaction that makes a change to an account on the Solana blockchain—such as a balance change—will put a brief write-lock on that account, explained Michael Hubbard, founder and managing director of Solana validator operator, Laine.
“The dev thought they could trigger constant write locks on the hacker’s accounts,” said Hubbard, “thereby preventing the hacker's transactions from executing successfully.”
Explorer rpcs hit an odd bug. A grey hat hacker tried to dos the hackers wallets and sent a flood of malformed txs. When users clicked into them on the explorer there was an explorer specific parser bug and that rpc would crash.
— SMS T◎ly, 🇺🇸 (@aeyakovenko) August 3, 2022
An unknown number of white hat (or perhaps gray hat) hackers used the developer’s script to spam what Solana co-founder Anatoly Yakovenko has described as “malformed” transactions to the hackers’ accounts. It was similar to a distributed denial-of-service or DDoS attack.
SolBlaze believes that at least five to 10 users were involved in the spamming campaign, but the script was shared to a few hundred people—so it could have been more.
The technique may well have helped, at least in one way. SolBlaze said that only 300 wallets were affected by the draining exploit during the hour that the spam bots ran, as opposed to about 2,000 per hour beforehand. “We do have significant evidence that this spamming did slow down the hacker,” they said.
However, it caused a big problem too: RPC servers, which facilitate network traffic, started crashing as a result. Hubbard said this wasn’t an intentional move. Instead, the process unearthed a bug related to how RPC servers handle requests, which caused some servers to crash. Yakovenko tweeted that he created a patch to resolve the problem.
PLEASE DO NOT DDOS RPC SERVERS! IT ONLY MAKES IT HARDER FOR SOLANA AND DEVS TO DIAGNOSE THE ISSUE.
— SolBlaze.org | Stake with us! (@solblaze_org) August 3, 2022
With some RPC servers down, it became difficult for users to access the Solana network, and blockchain explorer tools struggled as well. That might have slowed down the attackers, but it impacted a lot of other people as well—including users who sought to transfer funds, and developers and security specialists trying to diagnose the attack.
“It was making it difficult to use explorers to track the attacker’s transactions, and also making it tough for people to move their funds from their wallet over to a more secure location,” SolBlaze told Decrypt. They said that representatives from Solana Labs and RPC providers asked people in their “war room” to stop spamming transactions at the attacker’s wallets.
The Solana Status page notes that the Solana blockchain itself remained online during the situation, but that some RPC nodes and explorer functionality were hindered. Even so, there were many mocking tweets about the stability of the Solana network, harkening back to past occasions when Solana actually did falter and crash.
lmao you can't make this up - some madlad started DOSing the hacker which caused the RPC nodes to start failing
FYI - the chain is fine pic.twitter.com/AzbEvFLft4
— mert | Helius ☀ (@0xMert_) August 3, 2022
“The FUD on Twitter was a bit overblown about the chain halting,” former Coinbase engineer and Helius co-founder Mert told Decrypt. “FUD” is an acronym for “fear, uncertainty, and doubt,” and is typically used to describe antagonistic criticism, or deliberate misinformation, from rivals in the crypto space.
Ultimately, the RPC servers were patched and came back online, and access issues around the Solana network ceased. Developers and security experts continued working to figure out the cause of the issues, and this afternoon, the Solana Foundation blamed an exploit tied to the mobile software wallet, Slope.
The DDoS-like transaction spamming caused some temporary collateral damage, despite the apparently constructive aims, but SolBlaze suggests that it was a beneficial campaign overall.
“We do believe that there was a net positive impact, though,” they said, “as the attacker was significantly hindered.”
Back to the list