On August 2, 2022, the Solana ecosystem was hit by an attack that affected 8,000 wallets and drained them of an excess of $5 million in SOL and SPL tokens.
Your wallet can be compromised if you sign a malicious transaction or expose your private keys. Therefore, all you need to do to protect yourself is to keep your keys safe and avoid signing sketchy transactions. Seems easy enough, right? Wrong.
Crypto scams involving wallet hacks and drains employ various hacking techniques, including social engineering. The running theme is to goad people into connecting their wallets to malicious sites, protocols and dApps, and signing transactions.
In cases where the target cannot be made to sign a transaction, the following line of action is to gain access to their private keys. Your private keys can be compromised if a third party has access to it, for instance, if you store them on your device or in electronic format.
Solana was not hacked, and it remains a secure blockchain. The Solana Hack erroneously refers to the compromise of 8,000 wallets, which led to a loss of funds of about $5 million. Once it became apparent that a hack was ongoing, the community was advised to revoke all trusted connections made to any protocols. However, this didn’t stop the hack.
Most drained wallets had not signed any transaction before, so a malicious transaction is ruled out. A preliminary investigation shows that the wallets were sending out the funds by themselves.
The next thing to consider is a leak of private keys. It seems almost implausible that all those wallets had their keys leaked and an attack launched simultaneously. It would be understandable if it were an organization that suffered a breach since they use a centralized database, but these were random users with seemingly no link between them.
Due to the nature of the blockchain and how non-custodial wallets are created, no entity should have access to your keys unless you were careless with them.
A non-custodial wallet is created on your device, and the information is not sent across a server. When non-custodial wallets are created, the keys are randomly generated without a mathematical relationship between the keys and corresponding addresses. I don’t want to get into the technical details, but a key can’t be generated from an address.
Since the hack wasn’t because of signing a malicious transaction, it is evident that it was a leak of keys. The question now is how the keys were leaked. Private Keys can be leaked in a myriad of ways, such as:
But in an unexpected turn, it was revealed that the breach was caused by a wallet provider called Slope Wallet. An investigation by security auditors and developers revealed that private keys were transmitted to an application monitoring device, and the wallets affected were either created or imported into Slope Wallet.
Slope Wallet logged wallet seed phrases in their servers, which shouldn’t be possible for non-custodial wallets since the wallet is created on your device. Perhaps this was a careless code, enabling them to read information and log it, or it was by design. This logging of keys caused the hacker to be able to get their hands on them by breaching Slope’s database. Slope Wallet is supposedly a non-custodial wallet service provider, and a leak like this begins to raise questions about security and privacy in general.