Twitter users are desperately trying to reveal the mechanics of attack on Solana wallets that resulted in millions of Solana and USDC worth at least $4 million stolen in a blink of an eye.
However, the mechanics of the attack is still unclear. The fact is that Solana private keys were massively compromised, and attackers stole both native tokens (SOL) and SPL tokens (USDC). Even accounts inactive for more than six months were found drained. The attack affected such widely used hot wallets, as Phantom, Slope, Trust Wallet.
According to blockchain auditors OtterSec, over 8,000 wallets have been compromised so far, and at least $5 million were stolen.
First of all, users suspected that it was Phantom wallet that contained some kind of vulnerability which allowed the attacker to sign transactions with users' private keys. However, not only Phantom wallets were compromised that means that the exploit was not exclusively on their side. The Phantom team said they did not believe that it was a Phantom-specific issue.
Users were urged to revoke all permissions for trusted apps.
Another theory is that the attack might be an upstream dependency supply chain. And this means that approval revoking will probably not help. CEO Binance Changpeng Zhao urged users to transfer SOL to an offline hardware wallet or trusted centralized exchange (CEX). Just turing off your PC or smartphone, disconnecting it from the Internet, is also considered to be an option.
However, the problem can be larger than it seemed at the first sight. Several hours later after the attack was launched, software developer Stephen Lacy tweeted that he discovered "widespread malware attack" on GitHub affecting some 35,000 software repositories.
In subsequent tweets, Lacy explained that these 35,000 repositories affected are not official ones, but forked copies, with these clones altered to include malware.
Solana exploit might occur due to weak cryptography in its original library. This suggestion was made by crypto engineer at Coinbase Patrick O'Grady. He supposed that the attack could be linked to a nonce reuse bug in some ed25519 signature library solana projects are using.