Following an intense 24-hour period, security researchers and Solana Labs engineers have linked the recent hack of specific Solana-based wallets to a critical bug in one wallet service provider. Slope Finance developers mistakenly shipped a code that allowed user-generated seedphrases to be transferred to a malicious actor in plain text.
After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2
— Solana Status (@SolanaStatus) August 3, 2022
The hack had targeted private keys associated with the Solana ecosystem, with breached wallets automatically signing transactions without user authorization. The hackers transferred users’ SOL and USDC assets.
Although certain users of other wallets such as Phantom, Trust Wallet, and Solflare were also affected, the findings suggested that this category of users had either created or passed their seedphrase through Slope Finance at some point.
Solana’s team clarified that the attack did not impact the underlying network, as it remained fully functional throughout the incident. An estimated 7950 wallets were drained, netting the hacker(s) approximately $6 million in illicit profit.
Web3 Security Risks Persist
The latest Solana wallet news hack comes less than 24 hours after hackers drained cross-chain protocol Nomad Bridge of nearly $200 million. Industry observers agree that the prevalence of these security risks undermines public interest in the Web3 experiment and could potentially dampen investor appetite. However, these incidents provide an opportunity for the industry to address such security risks on the path to mainstream adoption.
For instance, the Solana Slope wallet hack has been strongly linked to the closed-source nature of the project’s codebase. Such incidents are avoidable if Web3 projects commit to open-source development. Meanwhile, users can also add a strong layer of security by using secure hardware wallets that store private keys offline.