London-based blockchain-analysis firm Elliptic put the amount stolen at $5.2 million in crypto, including Solana tokens and the stablecoin USD Coin, according to the Washington Post.
Solana users reported their funds had been drained from major internet-connected “hot” wallets including Slope, Phantom and TrustWallet. Hot wallets are always connected to the internet and allow for lightning-fast transactions.
Solana said in a tweet, “This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure.”
Slope Finance, which claims to be “the easiest way to discover web3 applications from one secure place,” advised all Slope users in an official statement to create “a new and unique seed phrase wallet, and transfer all assets to this new wallet.” Many wallets belonging to Slope staff were also drained, according to the statement, but hardware wallets (also known as cold wallets, which are not connected to the internet) were unaffected.
The attacker somehow obtained the ability to sign (initiate and approve) transactions on the behalf of users, suggesting a trusted third-party service may have been compromised in a so-called supply chain attack, Coindesk reported.
Solana, which was trading at a high of around $260 on Nov. 5, 2020, saw its native token, SOL, drop 4 percent in the hours after the attack before recovering most of that loss. Solana was trading at $40.47 as of this writing.
Here are three things to know:
Solana claims ‘no evidence its cryptography was compromised’
Often compared to Ethereum, Solana is considered cheaper and faster. Solana uses a technology called proof of history, which allows for high transaction speeds. It also has no transaction fees, unlike Ethereum, whose fees are growing.
Solana claimed in a tweet that “There is no evidence the Solana protocol or its cryptography was compromised.”
Hack highlights the interconnectedness of crypto networks, inability of any one part to vet all the others fully
The Solana-linked hack is concerning because Solana was made vulnerable by factors out of its control, Washington Post reported. Some argue the hack does not show that any crypto industry foundations are shaky. “This wasn’t a core blockchain problem, likely seems like one app someone built was buggy,” crypto mogul Sam Bankman-Fried told Fortune on Wednesday.
However, critics could argue that crypto networks are interconnected and no one part can fully vet all the others.
Blockchain bridges, like the one involved in Monday’s reported $190 million Nomad hack, let consumers swap crypto from one blockchain to another, making them vulnerable on both sides. “These bridges also tend to be newer and, in some cases, more hastily designed. In March, another blockchain bridge known as Ronin was hacked for amounts totaling more than $600 million in crypto,” the Post reported.
Renewing the debate of hot vs. cold wallets
The attack bring focus back to a long-running debate about the security of hot wallets, which are always connected to the internet to give users speed and convenience in storing, sending and receiving crypto, wrote Eli Tan and Sam Kessler for Coindesk. “Cold wallets – USB drives that must be plugged into a computer to sign transactions – are heralded as a more secure, albeit less convenient, alternative.”