Another day, another big hack in the crypto world. On Tuesday, Solana owners reported that their funds were vanishing—and by evening it became clear a hacker was draining millions from online wallets.
The cause of the hack is still under investigation and so is the extent of the damage, but on Wednesday afternoon, the “Solana Status” Twitter account shared that the exploit seems to be tied to Slope wallets—a type of cryptocurrency wallet platform built for Solana. And at some point, private key (or password) information for such wallets “was inadvertently transmitted to an application monitoring service,” rather than a Solana blockchain compromise.
Security firms estimate that the hacker responsible has made off with at least $5.2 million worth of assets—including Solana’s native cryptocurrency, SOL, a small number of non-fungible tokens (NFTs), and over 300 Solana-based tokens.
“Engineers…continue to investigate the root cause of an incident that resulted in approximately 8,000 wallets being drained,” Austin Federa, head of communications at the Solana Foundation, told Fortune. “This does not appear to be a bug with Solana core code, but in software used by several wallets popular among users of the network.” Here’s a plain English summary of what we know so far:
Who got hacked?
Over 8,000 wallets were targeted in the attack. Most were Solana “hot” wallets—those connected to the internet—notably, Phantom, Slope, and Trust Wallet.
How did this happen?
It is still uncertain how this happened, but it appears the attacker was able to approve transactions on behalf of victims, letting the attacker transfer funds without the owners’ consent.
Anatoly Yakovenko, cofounder of Solana, thinks the exploit is the result of a “supply chain attack,” a type of cyberattack where an attacker can access a victim’s account by targeting a third-party vendor.
In a blog post on Wednesday morning, security firm Elliptic said, “The root cause is still not clear, but it appears to be due to a flaw in certain wallet software—rather than in the Solana blockchain itself.”
Late Wednesday afternoon, Phantom tweeted that the company believes the exploits are due to “complications related to importing accounts to and from Slope,” adding that “We are still actively working to identify whether there may have been other vulnerabilities that contributed to this incident.”
In a statement, Slope confirmed that “a cohort of Slope wallets were compromised in the breach,” but hasn’t shared the cause. “We have some hypotheses as to the nature of the breach, but nothing is yet firm… We are actively conducting internal investigations and audits, working with top external security and audit groups,” Slope wrote.
Does the hack only affect Solana users?
As previously mentioned, the extent and precise nature of the attack is still not clear, but for now it appears to be affecting only those who use Solana products. However, a Trust Wallet and Slope wallet user claimed they lost USDC on Solana and Ethereum as well, so only time will tell the true impact of the exploit.
When will we know more?
Updates will be posted to https://twitter.com/SolanaStatus as they become available, the Solana Foundation’s Federa told Fortune.
Additionally, Elliptic will continue to update its blog with developments as the firm investigates.
What should crypto owners do to protect themselves?
Though there are still risks, “cold” wallets, or hardware wallets stored offline, are widely considered to be the safest option for cryptocurrency investors trying to protect their funds.
So-called hot wallets—which appear to have been the target of this latest exploit—are typically more susceptible to attack, as they’re connected to the internet rather than stored physically offline.
Experts advise moving funds from a hot wallet to a hardware wallet as soon as possible.
As the “Solana Status” account tweeted on Wednesday, “There’s no evidence hardware wallets have been impacted—and users are strongly encouraged to use hardware wallets. Do not reuse your seed phrase on a hardware wallet—create a new seed phrase. Wallets drained should be treated as compromised, and abandoned.”
This story has been updated with statements from “Solana Status,” Phantom and Slope.