Last week over 8,000 Solana wallets were hacked, which resulted in a total loss of over $6 million. Hackers transferred SOL, USDC, and NFTs from victim’s wallets over the course of two days. The attackers had access to the crypto private keys of the Solana accounts which enabled them to take full control over all funds in the wallets.
Initial reports suggested that Slope and Phantom wallets had been affected. According to blockchain explorer Solscan, the attackers sent millions of dollars to four different Solana wallet addresses. Several of the victims’ accounts had been dormant for months, so many victims were shocked to learn that their crypto funds had been compromised.
Confusion was widespread at the initial stage of the event, and some believed that the hack was a result of a bug in the Solana code or a cryptography hack. “This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network,” said SolanaStatus in a tweet the following morning.
A collective effort of Solana Labs, security researchers, and hacking victims worked together to identify the cause. Eventually it was discovered that the source of the hack was Slope wallet, which had leaked user private keys in clear text to its backend servers. Blockchain security firm OtterSec discovered that the hacker got access to the Slope centralized Sentry server, where all the users’ seed phrases were stored in plain text.
“Over $4M was drained from Solana wallets over the past 2 days. We’ve been working directly with @solana and @slope_finance to investigate,” OtterSec tweeted.
Slope said in a statement that a cohort of Slope wallets were compromised in the breach, advising users to create “a new and unique seed phrase wallet, and transfer all assets to this new wallet.”Hardware wallets have been unaffected by the hack because the hardware wallets isolate the private keys from user devices.
Phantom wallet users affected by the hack had at some point used Slope wallet, which leaked their wallet information to the attackers. Phantom wallet was not hacked.
The attackers had funded their four Solana wallets from Binance several months ago. Binance is a custodial wallet that collects information from its users. The identity of the attackers is currently unknown, but the the Binance evidence trail may provide authorities more clues.
Solana’s native token SOL underperformed other cryptocurrencies during the hacking incident as users panicked. The cryptocurrency recovered to its prior trading level after the source of the hack had been identified as Slope wallet.
