Solana, USDC Drained From Wallets in latest Multimillion Dollar Attack

Late Tuesday night, an unknown attacker emptied thousands of wallets containing at least $4 million in Solana and USDC. The hack, which was still ongoing at 8:00 p.m. PST, appeared to have originated on the Solana browser wallet Phantom and was thought to have compromised user keys—possibly through seeding wallets on different chains.

According to blockchain auditors OtterSec, over 8,000 wallets have been compromised thus far. Several Solana addresses (1, 2, 3, 4) have been linked to the attack, with those wallets amassing at least $5 million in SOL, SPL, and other Solana-based tokens from unsuspecting users.

On Wednesday morning, Solana’s Twitter account posted a status update stating that “engineers are investigating the root cause” and noting that 7,767 wallets have been impacted. However, a data dashboard monitoring wallet activity and funds from hacks suggest a much higher number.

Solscan reports that a total of 15,220 wallets have been impacted and that $4.46 million worth of tokens, primarily SOL and USDC, have been stolen.

What Went Wrong?

Tuesday night saw a continued lack of clarity regarding the attack’s exact origin, but it appears to have primarily affected users of mobile wallets. A reputable third-party service may have been compromised in a so-called supply chain attack if the attacker acquired the ability to sign transactions (i.e., initiate and approve them) on behalf of users.

The attack will unavoidably reignite a long-running discussion about the safety of hot wallets, which are used by users as a convenient means of sending, storing, and receiving cryptocurrency and keeping a steady internet connection. Cold wallets, which are USB drives that must be connected to a computer in order to sign transactions, are promoted as a more secure, though less practical, substitute.

The Consequences

According to early reports, the Solana ecosystem and the Phantom browser wallet were singled out. As per CoinMarketCap, the news has already caused an 8% decline in Solana’s value in the two hours following the initial reports of the attack. The website also recorded a 45 % increase in trading volume over the previous 24 hours.

The hack’s possible connection to transactions on Magic Eden’s Solana-based non-fungible token (NFT) marketplace was initially suspected by some users, though this connection grew less obvious as the attack went on.

Twitter is still flooded with complaints from Solana users who discover that tokens have gone missing from their accounts.

It is unclear at this point whether the vulnerability is limited only to the Solana blockchain. A TrustWallet and Slope wallet user reported losing USDC on both Solana and Ethereum.

Crypto analyst and author @0xfoobar confirmed that “the attacker is stealing both native tokens (SOL) and SPL tokens (USDC)… affecting wallets that have been inactive for less than 6 months.”

Theorizing that it might be an “upstream dependency supply chain attack,”

He continued by saying that switching to an offline hardware wallet would be the only way to protect money, contrary to popular belief, which suggests withdrawal of wallet approvals.

The Solana Attack’s aftermath

Phantom claims to be looking into the alleged exploits.

“We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem,” Phantom tweeted “At this time, the team does not believe this is a Phantom-specific issue. As soon as we gather more information, we will issue an update.”

Popular Solana NFT marketplace Magic Eden also took to Twitter to warn of the exploit.

Due to its quick transactions and affordable fees, Solana, the fifth-largest blockchain by total value locked (TVL), has gained popularity in recent months.