Solana Wallet Exploit Drains Funds From Users

Around 5 p.m. Pacific Time Tuesday, Tweets started surfacing about Solana wallets being drained of small amounts of SOL, Solana’s cryptocurrency. Over the last 24 hours, more details have emerged, but it’s still not entirely clear what happened or how widespread the underlying issue might be. Below I outline the details of what’s known so far.

The good news is that this does not appear to be an exploit of the Solana Protocol itself. A number of sources are pointing to an exploit of the Slope mobile wallet. Wednesday, the Twitter account for Solana NFT rarity service MoonRank shared a screenshot of log data that appears to contain the mnemonic seed phrase for a Slope Finance wallet being sent in the clear.

The exploit is impacting users of Slope and Phantom wallets. A survey of users by the Solana Foundation as part of the security war room put the number at ~60% Phantom wallets and 40% Slope wallets, according to a tweet from Solana Foundation Head of Communications Austin Federa.

We spun up a Typeform to collect data and the results were clear – of those drained ~60% were Phantom users and 40% Slope users. But after extensive interviews and requests to the community, we couldn’t find a single Phantom-forever user who had their wallet drained

— Austin Federa | sms (@Austin_Federa) August 3, 2022

If you’ve never interacted with Slope Finance, there should be a very low likelihood that you are at risk from this particular exploit. A number of the reports where Phantom wallet users are impacted are due to transferring wallets between services. There were additional confirmed reports of ETH being drained, which according to another tweet in the thread from Federa, was due to some users using the Solana BIP39 seed phrase on Ethereum in addition to Solana.

Slope Finance issued a formal statement on its Medium blog Wednesday in which stated “A cohort of Slope wallets were compromised in the breach.” Company execs have some hypotheses about the breach but have not confirmed anything yet.

Slope recommends users create a new wallet with a unique seed phrase and to transfer all assets to this new wallet. It doesn’t say you should create this wallet with another service, but I would feel hesitant to use a Slope wallet when its official statement says nothing about the breach being resolved.

Some Lessons Learned

This is a good reminder not to reuse a seed phrase for multiple wallets. It also points to some of the challenges in balancing the desire for better user experience via software wallets against the increased risk of exploiting those wallets.

A hardware wallet protects against this type of exploit because the seed phrase for a hardware wallet does not get sent anywhere online unless you make the mistake of storing it somewhere like iCloud or another cloud storage service.

If the screenshot from MoonRank proves to be documentation of the exploit, it’s a good reminder to beef up your code review processes (probably a good reminder even if this isn’t the specific exploit in this case).

Screen capture from MoonRankNFT.

While it’s financially damaging for some folks and definitely frustrating, if there’s a silver lining here it’s that the Solana community rallied quickly to identify a significant problem and collaborated on resolving it rather than sitting back and pointing fingers at whoever appeared to be to blame.