Solana exploit. How to protect your SOL and USDC

As we’ve written earlier, 8,000 user wallets have been robbed for an average of $1000 each.

So, if your SOL and USDC are still on your balance, it’s not your doing – it’s the hackers’ fault. Just kidding, but as we all know, there is truth in every joke. Now, while Solana and white hat hackers collaborate with hacked wallet teams to find vulnerabilities, it makes sense to think about your cybersecurity again.

Let’s try to solve this non-trivial problem with a simple “Given-Find-Solution” scheme. All we need to do is to be sure we know the parameters (“Given”) and to have a clear idea of what result we are interested in (“Find”).

Given:

“a” = Users were robbed in a very brutal way. They didn’t sign anything, didn’t go to phishing sites, and didn’t do any activity. Many of them were sleeping peacefully. That said, the transactions were done, and the blockchain records were legitimate.

“b” = It is already established that no direct hacking of Solana/Ethereum blockchains occurred.

“c” = Some iOS/Android mobile wallets were hacked. For example, hardware wallets like Ledger retained assets. Accounts on centralized exchanges (like FTX or WhiteBIT) were also safe.

“d” = All affected wallets were not active in the last 6 months (that is, it affected HODL’ers and not some noobs). 

“e” = Preliminary investigation showed that the libraries of the corresponding wallets on Github may have been compromised.

“f” = “crypto is not a scam”. We’re not yet ready to become disillusioned with technology in order to go off to grind a blank in a factory and hoard cut-up paper with portraits of dead people for the rest of our lives, which will, in all likelihood, also depreciate.

Find:

A plan where our SOLs and USDCs are always in the place we last put them, regardless of whether the hacker repeats his maneuver.

Solution:

Assuming the hacker repeats his algorithm (and why not repeat it if you’re not in jail yet, there’s $8 million at stake, and you’ve done it before?), the conclusions are as follows:

1. You must move your funds to a place that is known to be safe. As we already know, these can be hardware vaults or secure custodial wallets like blockchain.com wallet.

2. Given that the problem is specific to mobile apps, you should consider switching to browser-based versions of wallets with two-factor authentication.

3. It makes sense to cancel all the automatic confirmations (“ticks”) that you may have recklessly put in any DApps on your phone.

4. HODL is a serious and long-term project that doesn’t go with storage on a smartphone that can freeze, crash, and get lost.

Update

All the teams whose users were affected by the exploit (Solana Labs, Slope, Phantom, Trust Wallet) and several public blockchain engineers have issued their investigations. The only version that remains tentatively proven is a problem on the Slope wallet side.

“The compromised addresses were generated, imported, or used specifically in Slope’s mobile wallet.”

Slope developers have recommended that users immediately transfer the remaining funds to new wallets, making sure to change the seed phrase. However, will this change anything if it is proven that the user’s seed phrases were stored on the wallet’s server? The question is rhetorical.