Mass theft of Solana wallets points to supply chain software

“There seems to be a widespread vulnerability that can drain the wallet assets of the entire Solana ecosystem.” This tweet from Magic Eden, the Solana ecosystem’s NFT marketplace, went viral in the blockchain industry on the morning of August 3.

Immediately afterwards, a large-scale user asset theft was staged before people’s eyes. According to the tracking of multiple security companies, the number of stolen Solana wallets has continued to grow from 5,000. As of 1 p.m., about 7,767 wallet assets were stolen, and various encrypted assets and NFTs were transferred.

The scary thing is that although the industry is aware of the existence of the vulnerability, as of press time, the source of the vulnerability has not been found. During this period, hackers continued to empty users’ wallets.

According to the SlowMist security team tracking, about $580 million in crypto assets flowed to 4 attacker addresses. Since this attack is not an attack against a single protocol, it is more like a hacker cracking the private keys of a large number of users. SlowMist speculates that the problem may lie in the software supply chain.

“Supply chain attack” is a new type of attack. Attackers tend to step in upstream or midstream, spreading their malicious activity and its after-effects downstream to more users. Therefore, compared to isolated security breaches, a supply chain attack, once successful, has a greater scale and far-reaching impact. Some security people speculate that there may be a loophole in a wallet used by the user, resulting in the exposure of the private key.

At present, Solana’s official team, Solana Status, has released a form to collect relevant information from stolen users to analyze the vulnerability. Security sources suggest that in order to avoid asset loss caused by similar incidents, it is best for users to use hardware wallets and create a new mnemonic phrase, and wallets that have problems or risk of private key leakage should be considered damaged and discarded.

Unknown vulnerability leads to the theft of nearly 8,000 Solana wallets

On August 3, a large-scale hacking attack swept the Solana public chain. According to an early warning from Solana ecological NFT marketplace Magic Eden, there appears to be a widespread vulnerability that could drain the entire Solana ecosystem of wallet assets.

Then, the blockchain audit security team OtterSec disclosed that over 5,000 Solana wallet funds have been stolen in the past few hours. OtterSec analysis showed that these transactions were signed by the actual owner, indicating that there was a private key leak. . The vulnerability could also affect ETH users.

The massive theft of Solana’s on-chain wallets quickly caused panic among the user base. The losses caused by this attack have not stopped, and users are still being recruited during the fermentation process of the incident.

At about 10:30 a.m. on the same day, Emin Gün Sirer, founder of the Alavanche public chain, observed that the attack on the Solana ecosystem was continuing, and the number of stolen wallets had increased to more than 7,000, “and the number of wallets was increasing at a rate of 20 per minute. increase.”

Mass theft of Solana wallets points to supply chain software

Emin Gün Sirer sees continued increase in stolen wallets

Emin Gün Sirer, who also noticed the details of the transaction signature, believes that the attacker has likely gained access to the private key.

If a large-scale private key leak occurs, it means that the funds in the user’s wallet may be withdrawn by hackers at any time. Under the panic, many users have logged into their wallets to transfer funds to avoid asset loss.

This wide-scale hacking attack has caused the vigilance of many Solana ecological project parties.

The Move to Earn application STEPN issued a message to remind users that if they have previously imported or exported STEPN from non-custodial wallets, they need to check whether any assets in those wallets are lost. Users should transfer assets from the wallet in time, or generate a new one from the STEPN application. non-custodial wallet.

Magic Eden also issued a reminder that users had better create a new wallet with a new mnemonic phrase, and transfer all NFTs and liquid encrypted assets to the new wallet, and it is safer to put all assets in the cold wallet .

Since the characteristics of the theft incident pointed to the leakage of private keys, the wallet application providers of the Solana ecosystem have attracted a lot of attention. According to feedback from many stolen users, they use Slope and Phantom wallets to generate accounts. Some people initially suspected that there may be loopholes in the wallet service provider, which exposed users’ private keys.

The Phantom wallet does not believe this is a problem specific to it. The official announcement of the wallet stated that the vulnerability in the Solana ecosystem could not be identified for the time being. “We are working closely with other teams and will issue an update once more information is collected. ”

As of 1:00 pm on August 3, the source of the theft has not yet been found, and users continue to report the theft of assets. According to an attack update released by Solana Status, Solana’s official development team, about 7,767 wallets were affected, and “engineers are currently working with multiple security researchers and ecosystem teams to determine the root cause of the exploit.”

According to industry analysis, this attack is suspected to be a “supply chain attack”

This large-scale attack is the first in the history of blockchain development. In the past, most hacking attacks were concentrated on a single exchange, application protocol or cross-chain bridge. For example, a loophole in a certain chain protocol was used to “one-pot” user funds in the protocol. This time, the hackers are more like cracking a large number of user private keys through unknown means, and transfer user assets one by one.

According to the SlowMist security team’s tracking of the incident, approximately $580 million in crypto assets flowed to 4 attacker addresses. “Many victims reported that they used a variety of different wallets, mainly mobile wallets. We speculate that the problem may appear in the software supply chain.”

Emin Gün Sirer also believes that one possible avenue is a supply chain attack, in which JS libraries are hacked to steal users’ private keys.

“JS library” generally refers to encapsulated JavaScript functions, which can be called directly in the program. Based on feedback from some of the stolen users, the stolen wallets appear to have been created within the past 9 months, but there are also reports of newly created wallets being affected, so it’s impossible to pinpoint which supply chain software was at fault.

For some users who proposed that they can use the transaction rollback method to retrieve user assets, some security people said that this method is not suitable for this incident, “because it is impossible to distinguish which transactions are signed by users themselves.”

It is worth noting that although the attack affected a large number of users, and the Solana network also experienced lag and some applications were interrupted, the operation of the underlying chain was not affected. Solana’s verification node Laine said in a post that multiple RPC nodes in Solana seem to have stopped serving requests, possibly due to overload or intentional causes, but the Solana blockchain is in a normal operating state.

The above information points the source of this security incident to a “supply chain attack”. This is a new type of attack method, especially in the field of Web3 where smart contracts are coupled with each other, attackers often intervene in the upstream or midstream, spreading their malicious activities and their after-effects downstream to more users. As a result, a successful supply chain attack has a larger scale and far-reaching impact than an isolated security breach.

On the afternoon of August 3, Solana Status has released a form to collect relevant information from stolen users to analyze the vulnerability.

Mass theft of Solana wallets points to supply chain software

Solana Status collects user information to analyze the reasons for theft

According to the latest news, Solana Labs co-founder aeyakovenko revealed that the attack appears to be an attack on the iOS supply chain, in which multiple trusted wallets that only received SOL and had no other interaction were affected. Import the private key to iOS. But his speculation has not been confirmed, “just that all the confirmed information is an iOS device, but it may also be because of its popularity.”

More details and reasons for the massive Solana theft are yet to be further analyzed and disclosed by the security team. It is worth noting that the “supply chain attack” method seems to have begun to penetrate the blockchain field. When users use on-chain applications, there may be loopholes in basic Web2 programs such as encrypted wallets and input methods, resulting in private key leakage. Security sources suggest that in order to avoid asset loss caused by similar incidents, it is best for users to use hardware wallets and create a new mnemonic phrase, and wallets that have problems or risk of private key leakage should be considered damaged and discarded.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-08-03 23:17
Next 2022-08-03 23:18

Related articles