About the Solana Wallet Hack | TKX Weekly

2022-08-07 03:07

TKX Capital

2022-08-07 03:07

来源链接

订阅此专栏

收藏此文章

by @Guaaronnnn
editor @FriedWagyuu

Part I. Solana Exploit

The Start

On August 3, 2022, an incident happened on Solana which led to more than 9,000 wallets being hacked. $SOL and SPL tokens were transferred out of hacked wallets to attacker wallets. Assets drained in total were more than $4 million.

At first, a few people noticing some unusual outflows from Phantom wallets on Solana

The cause could not be found in a short amount of time because the exploit was not caused by on-chain contracts. Instead, funds were drained using signed transactions. It took people hours to rule out different possibilities yet never found out the cause and how to stop the hack.

Co-founder of Solana Labs ruled out the possibility of delegation and interaction

AVA Labs founder Emin Gun Sirer said it is possibly a “supply chain attack”

Supply chain attack: occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data.

Data collected by the Solana foundation shows that of those drained nearly 60% were Phantom users, about 30% were Slope users, and the rest use the Trust wallet, etc. Both iOS and Android versions of the application are used.

Solana network was down for a while after the attack started, and RPC nodes started pinging as “offline”. It might be caused by some well-intentioned devs trying to help and slow down the exploiters by purposefully DDoS attacks and spamming RPC.

The Truth

The investigation pointed to Slope Wallet which uses a sentry service. A sentry service is oftenly used to monitor the user interactions with in an app. However, in this case, the sentry service was used to collects users’ mnemonics and private keys from Slope Wallet and sent them to a centralized server when creating a wallet. Slope sent out seed phrases in the form of plaintext. The phrases were not encrypted, meaning anybody with access to the service could access users’ seed phrases. This kind of low-security standard led to the breach giving hackers have chance to acquire the seed phrases and stolen funds.

Adam Cochran, Partner of Cinneamhain Ventures, commented on this incident

Crypto analyst @0xfoobar confirmed that Slope wallet leaked the seed phrases

A blockchain auditor @osec_io also confirmed that Slope’s mobile leaked the seed phrases

What can We do?

This incident was caused by a hot wallet provider. So, there are several ways to protect yourself:

Multi-Signature — it requires signatures from multiple people to access wallets. Let’s say if there are three people who have the mnemonic words or private keys, you can set the rule that requires at least two people to sign to access the wallets. Each blockchain has its own multi-signature solution.
Cold Wallet — it is not connected to any network. It always requires a dedicated app to work with the cold wallet. Compare to a cold wallet, a hot wallet has the risk of theft of the seed phrase or private key. And another security issue with hot wallets is the security of the runtime environment. For example, if you are using the hot wallet on your laptop and there are viruses, your hot wallet is at risk.

If you were hacked:

Transfer all the assets ASAP — Do it immediately, think no more. Transfer all your remaining assets to a safe place. It can be a trust-worthy exchange (Binance, FTX and Coinbase) or a cold wallet.
Freeze your assets — if your stolen asset is NFT, you can contact OpenSea to label your NFT. If it is a token, you can do an on-chain analysis and traces your assets. You can also contact centralized exchange since they are the last stop if hackers want to cash out.

Part II. Market Updates

Solana’s $6M Exploit Likely Tied to Slope Wallet
Slope wallet may be responsible for an ongoing exploit on Solana Network. So far it resulted in millions of dollars’ worth of crypto tokens being stolen from more than 9,000 hot wallets. Slope stored private keys as plain text on a centralized server, which was compromised by the attacker.

NFT Exchange Magic Eden Expands to Ethereum
NFT marketplace Magic Eden is going to integrate Ethereum-based NFTs into its Solana-only platform. Magic Eden is the current kingpin of Solana digital collectibles, hosting more than 90% of the ecosystem’s trades.

Binance Taps Co-Founder Yi He to Head $7.5B Venture Arm
Binance Labs announced a new $500 million fund in June to invest in Web3 and blockchain projects. Binance co-founder Yi He was appointed to oversee its venture capital arm, Binance Labs.

BlackRock and Coinbase Partner to Give Institutional Investors Greater Access to Crypto
BlackRock, the asset management giant in traditional finance, to offer crypto for institutional investors through Coinbase Prime.

Goerli Is Coming: Ethereum’s Last Rehearsal Before the Merge
The merge of its third and final test network environment, called Goerli and the largest community merge before the couple final weeks leading up to the Merge. Goerli is expected to transition to PoS sometime between Aug. 6 and Aug. 12, though this could change depending on how fast the hashrate functions.

Part III. Fundraising News

CLST — institutional digital asset lending
Raised multi-million in a seed round led by Spartan Group. Other backers include Coinbase Ventures, Kraken Ventures, GSR, Menai Financial Group, Luno Expeditions, a subsidiary of Digital Currency Group and others.

Coinfeeds — Web3 data platform
Raised $2 million in a seed round led by FTX Ventures. Other backers include Coinbase Ventures, Y Combinator, Huobi Ventures and others.

Trustless Media — Web3 media
Raised $3.25 million in a seed round led by Alameda Research. Other backers include Avalanche’s Ava Labs and Red DAO.

Debt DAO — credit protocol
Raised $3.5 million in seed funding round led by Dragonfly Capital. Other backers include CSR, Numeus and others.

reNFT — NFT renting protocol
Raised $5 million in funding round led by Mechanism and gumi Cryptos Capitals (gCC). Other backers include Gemini, The Sandbox, OpenSea, Morningstar Ventures, EveryRealm, OP Crypto, Fourth Revolution Capital and others.