On August 3, public opinion monitoring of the Chengdu Lianan Hawkeye-Blockchain Security Situational Awareness Platform showed that a large-scale coin theft incident occurred in Solana. SOL, SPL, USDC, USDT, BTC, ETH, etc., worth about 6 million US dollars. In yesterday’s warning, we immediately advised Solana wallet users to transfer encrypted assets to CEX or hardware wallets as soon as possible.
secondary title
The wallet on Solana was attacked, how did more than 10,000 wallets be stolen?
On August 3, MagicEden, the Solana ecological NFT market, officially tweeted that there is a suspected SOL vulnerability that can steal assets in the Phantom wallet.
Then, independent security researcher CIA Officer, hackers are now extracting $SOL from ordinary users' wallets in an unknown way, and the amount of stolen funds currently exceeds $5 million.
The well-known developer @0xfoobar tweeted that in addition to Phantom, Slope wallet users have also reported theft.
Immediately afterwards, more and more users' wallets were hacked, and everyone realized that the situation had become serious!
Regarding the whole incident, Solana’s current official response is: “Engineers from multiple ecosystems are investigating this large-scale wallet theft with the help of several security companies. There is currently no evidence that hardware wallets will be affected. Follow-up information will be announced as soon as the investigation progresses.”
secondary title
Analysis progress sharing about this attack
Yesterday we announced that the stolen funds have entered these wallet addresses, and the amount of each address is as follows:
·Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
·CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu
·5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3n
·GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy
The amount of the hacker’s four wallet addresses (changing in real time) (data source solscan.io, as of 17:40, August 4th, Beijing time)
The current analysis progress is as follows:
The first point:
According to user feedback, the currently affected wallets are mainly Phantom wallet and Slope wallet.
The security team of Chengdu Lianan analyzed and found that the Sentry service used by Slope Wallet found through packet capture that this service would send sensitive data such as mnemonics and private keys to Slope’s server o7e.slope.finance when users create wallets, causing Mnemonics or private keys leaked.
At present, the slope official has issued a document and is working hard to solve this problem.
As for the analysis of the Phantom wallet, the reverse code found that it also contains the sentry library, but through packet capture analysis, it has not been found that there is any behavior of sending sensitive data such as mnemonic words and private keys to the server when the user creates the wallet.
In addition, according to public opinion, a problem similar to the Slope wallet was found in NEAR's wallet in June. When a Near Wallet user selected "email" as the recovery method for the recovery phrase, the recovery phrase was leaked to a third-party site.
Second point:
According to public opinion, Patrickogrady, the director of engineering at Ava Labs, wrote on Twitter: "I wonder if there is a nonce reuse vulnerability in some of the ed25519 signature libraries that the Solana project is using. I think this will allow any attacker who views Solana Obtain the private key, regardless of where the private key was generated." In response to this speculation, the Chengdu Lianan security team is currently continuing to follow up and research.
secondary title
What should users and project parties pay attention to in terms of wallet security?
This large-scale wallet theft case also gave us a lot of inspiration. In the ecological world of Web3.0, we also have the following suggestions for wallet security:
For users:
Users can usually divide the wallet into two categories according to the purpose. The first category is used to store assets, including some large-value assets. Such assets can be stored in cold wallets to improve security;
The second category is used for asset transactions, and some temporary wallets can be used. Temporary wallets include: using wallets such as MetaMask to recreate an address that stores very little money; or some online wallets such as: Burner Wallet, etc., this wallet can simply set transfer parameters on the web page, such as: transfer Address, amount, etc., can generate a temporary small transaction QR code.
At the same time, the PC, browser, etc. used by the user during the transaction may use a different PC or a different browser when conducting some potentially dangerous transactions.
For the project side:
write at the end
write at the end
After the theft, Chengdu Lianan immediately issued an early warning, advising Solana wallet users to transfer encrypted assets to CEX or hardware wallets as soon as possible to avoid further losses. At the same time, the Chengdu Lianan security team is using the Lianbizhui-virtual currency case intelligent research and judgment platform to monitor, track and analyze the stolen funds address.
