It seems there are widespread exploit that happens within the Solana ecosystem. The causes are still unknown. A few sources I observed claim that revoking any apps from your Sol wallets doesn't help, looks like there is nothing you can do but migrate your Sol into cold storage or hardware wallet.
Suspected attacker wallets:
-
https://solscan.io/account/CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu-
https://solscan.io/account/Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxVReposted information from /r/solana:
ONGOING EXPLOIT ACROSS MANY SOLANA DAPPS
There are many gambling sites and NFT mint sites that are suspected to be involved in this attack. Millions of dollars are currently being drained from wallets. We are actively working with teams (including wallet providers) to investigate the issue further and attempt to mitigate the exploit.
PLEASE CHECK YOUR WALLETS TO ENSURE THAT YOUR FUNDS ARE SAFE. CONSIDER MOVING YOUR FUNDS TO A HARDWARE WALLET SUCH AS LEDGER.
Attacker wallets:https://solscan.io/account/CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEuhttps://solscan.io/account/Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
I will share more updates at
https://twitter.com/solblaze_org/status/1554621959870169089 as I continue to receive more information about this attack.
Further relevant information:
https://nitter.net/phantom/status/1554626111535026177We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue.
As soon as we gather more information, we will issue an update.
https://nitter.net/solblaze_org/status/1554628258963922944It seems like this attack is mainly impacting browser and mobile wallets. We are actively working with teams to further investigate the issue and will continue to provide updates as we learn more.
https://nitter.net/solanafm/status/1554636582564417536The community has identified these 4 wallets as the hackers & we have tagged them on our explorer.
CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu
Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3n
GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy
Thoughts? Does any of you here affected?
EDIT:
Some latest update from @SolanaStatus, the Twitter account is run by Solana Foundation.
https://nitter.net/SolanaStatus/status/1554658171934937090[1]
Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.
This thread will be updated as new information becomes available.
[2]
An exploit allowed a malicious actor to drain funds from a number of wallets on Solana. As of 5am UTC approximately 7,767 wallets have been affected.
The exploit has affected several wallets, including Slope and Phantom. This appears to have affected both mobile and extension.
[3]
Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.
[4]
There’s no evidence hardware wallets have been impacted – and users are strongly encouraged to use hardware wallets.
Do not reuse your seed phrase on a hardware wallet - create a new seed phrase.
Wallets drained should be treated as compromised, and abandoned.
[5]
If your wallet was one of the 7,767 impacted please complete this survey – engineers are investigating the root cause
https://solanafoundation.typeform.com/to/Rxm8STIT?typeform-source=admin.typeform.comAnd here is some shitshow
EDIT 3: Many RPC servers have gone offline due to white-hat hackers purposefully DDOSing them to slow down the hacker. Currently, it seems like the main Solana RPC server run by Triton as well as QuickNode and Ankr have gone offline. PLEASE DO NOT DDOS RPC SERVERS! IT ONLY MAKES IT HARDER FOR SOLANA AND DEVS TO DIAGNOSE THE ISSUE.
EDIT1:
Seems the investigation is still ongoing but looks like the community might have found the main culprit, which is the Slope wallet. And one point to note, this vulnerability isn't related to Solana protocol or Daaps.
New updates:
https://nitter.net/SolanaStatus/status/1554921396408647680After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2
This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure.
While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service. 2/3
There is no evidence the Solana protocol or its cryptography was compromised. 3/3
Official statement from Slope Finance:
Dear Slope Community,
Here is what we know at this juncture regarding the breaches to our user base:
A cohort of Slope wallets were compromised in the breach
We have some hypotheses as to the nature of the breach, but nothing is yet firm
We feel the community’s pain, and we were not immune. Many of our own staff and founders’ wallets were drained
Actions we are taking:
We are actively conducting internal investigations and audits, working with top external security and audit groups
We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify
While we have not fully confirmed the nature of the breach, in the spirit of safeguarding our user base, we recommend ALL Slope users do the following:
Create a new and unique seed phrase wallet, and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope.
If you are using a hardware wallet, your keys have not been compromised.
We are still actively diagnosing, and are committed to publishing a full post mortem, earning back your trust, and making this as right as we can.
Thank you,
Slope Team
EDIT2:
https://nitter.net/Austin_Federa/status/1554935012386037760We spun up a Typeform to collect data and the results were clear – of those drained ~60% were Phantom users and 40% Slope users. But after extensive interviews and requests to the community, we couldn't find a single Phantom-forever user who had their wallet drained
~
The investigations are ongoing, and I can't stress enough the importance of creating a new seed phrase in a non-slope wallet, and moving any assets you have in a Slope hot wallet over.
Then go buy a hardware wallet.
~
And what about the ETH users drained?
Turns out, they'd been using their Solana BIP39 phrase in Ethereum, too! So the hacker inadvertently was able to access assets stored on ETH.
From the outside, it was indistinguishable from a supply chain attack.
EDIT3:
https://nitter.net/Zellic_io/status/15549361432206172161/ First, the following theories are considered very unlikely and entirely rejected:
- issues in Solana core
- issues in SPL token
- crypto issues (e.g. weak RNGs)
- widespread user devices compromise
- supply chain (compromised libraries)
2/ In the war room, we first hypothesized that wallets may be leaking mnemonics or private keys to Sentry.
After further investigation with the community, this is what we found:
3/ First, let's talk about Sentry.
Sentry is an event logging platform used for reporting errors in apps.
If a certain event occurs in the app, a request containing the details & environment is logged to the company's Sentry.
Many companies use Sentry on websites & mobile.
4/ The Slope Wallet for iOS and Android uses Sentry for event logging.
Any interaction in the app would trigger an event log.
Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, mnemonics were leaked to Sentry
s/o to @sniko_
for this screenshot:
https://pbs.twimg.com/media/FZQ-MU6VQAAHh0a?format=jpg&name=4096x40965/ However, Slope has been using Sentry for only 1 week now.
**Hypothetically**, an attacker *with access to Sentry* could go through event logs and steal the thousands of mnemonics leaked in the past week
Then drain thousands of wallets.
~
https://nitter.net/osec_io/status/1555087555351420928We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
-
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.
-
Slope has been very helpful in sharing data related to the hack. We received the database 4:45 PM UTC August 3rd and immediately began our investigation. The Sentry logs spanned between July 28th and August 3rd.
-
Approximately 1,400 of the addresses in the exploit were present in Sentry logs. Notably, this does not account for all the hacked addresses.
We are still investigating this discrepancy and possible other vectors.
-
Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them. If you used Slope, PLEASE MOVE YOUR FUNDS