Millions of dollars have been stolen from more than 5,000 wallets. Within hours, Solana’s value plummeted. Unknown attacker stole thousands of wallets that contained at least $4,000,000 worth of USDC and Solana late Tuesday night. At 8:00 PM PST, the hack was still being carried out.
It was thought that it originated on the Solana browser-wallet Phantom. It was believed to have compromised user keys–possibly including seedphrases that were re-used between wallets on different chains.
Blockchain audit firm OtterSec reported that more than 5,000 Solana wallets were emptied in the last few hours. “These transactions were being signed by their actual owners, which suggests some kind of private key compromise.” Watcher Guru updated this count to 8,000 shortly after.
Engineers from all over the Internet were working together to understand the extent of the exploit. Decrypt was informed by a spokesperson for MetaMask, an Ethereum wallet.
Initial reports identified the Solana wallet Phantom and Solana ecosystem as the targets. According to CoinMarketCap which has also noted a 45 percent rise in trading volume over the past 24 hours, the news has already caused an 8 percent drop in Solana’s value within two hours of the initial reports of the attack.
Miles Deutscher, crypto analyst and investor, stated that there is an undiscovered $SOL exploit currently draining random Phantom accounts. $6,000 is currently missing. You must revoke any permissions if you have Phantom funds.
Popular Solana NFT marketplace Magic Eden took to Twitter to alert of the problem.
The account stated that there was a widespread SOL exploit in play and it was draining wallets across the ecosystem. Magic Eden sent instructions in a tweet to remove suspicious links permissions.
Phantom claims it is investigating the reported exploits.
Phantom tweeted, “We are working closely together with other teams to find the root cause of a vulnerability in the Solana environment.” The team doesn’t believe that this is Phantom-specific. We will update you as soon as we have more information.”
The attack appears to not be restricted to Solana. Another user also reported that his USDC balance had been drained.
Twitter user Justin “Justin.sol” Barlow wrote: “My ERC-20, SPL USDC on @slope_finance as well as @TrustWallet were drain.”
Crypto analyst and author @0xfoobar has confirmed that the attacker stole both native tokens, SOL tokens and SPL tokens from USDC )… wallets that were inactive for less 6 months.
He suggested that it could be an “upstream dependency chain attack”, and he also said that the common advice to revoke wallet approvals won’t help — only transferring into an offline wallet will.
@0xfoobar explained that these SOL and SPL transfers were signed by the users, and not by third parties using approvals. While you can revoke it, it is likely that something has been done to compromise private keys.
Anatoly Yakovenko, cofounder of Solana Labs, stated that there is no way an “interaction” could make a wallet insecure. Only token-specific delegations, auto approvals or leaked seeds can transfer assets from a wallet for the user. This rules out delegation because system transfers happen.
