There is an Active Drain Attack on Solana Right Now

There is currently widespread news of a large number of Solana wallets being drained due to unauthorized access.

The alleged attack targets any wallet that may have been connected to a dApp, and according to CompendiumFi, it is recommended to disconnect your wallet from any dApp at this current time (time of writing 29/03/2024 13:18pm GMT)

Although the source of the attack is still to be identified, the current narrative points to BONKbot, a Telegram bot capable of executing trades on the Solana network, as the catalyst of the exploit. Developers associated with the project have denied any accusations, while admitting that the “exploits” have indeed surfaced within the broader ecosystem.

Although BONKbot deny that the breach has originated with them, there’s something very interesting they mentioned in their tweet (hopefully you can read the whole tweet above — medium sometimes crops things).

BONK have stated that they noticed the exploited wallets to belong to users who have previously exported their Private keys. Another user in the thread made a very good remark, stating the BONK may have at some point stored this export in plain text, allowing an attacker with easy access to a whole list of private keys.

The issue with this kind of widespread attacks is that very difficult to try and find a root cause for it. A similar incident which took place in August 2022 saw over 8000 Solana wallets drained, with over of $8 million stolen from these wallets.

To this day, the cause of the August 2022 attack remains unclear, but industry leaders including Emin Gün Sirer, founder of Avalanche, pointed out that the transactions were properly signed, meaning the vulnerability could be a supply chain attack.

That in and of itself is very vague and mean a number of different things. A supply chain attack is what you call it when one of your dependencies, or code has a vulnerability, or has been exploited. This refers to software that is built around Solana or the blockchain, and not an issue with the blockchain itself.

Some have pointed out at the time that it could have been a wallet software vulnerability which allowed for wallets to be drained at will. But where exactly in the wallet’s codebase that would happen is anyone’s guess. It could have been an innocuous GitHub dependency bump exploit, or anywhere else under the sun.

The fact that supply chain attacks happen just means that wallet software companies need to do a better job at keeping their code safe and secure, and ensure that GitHub is not used as a vector of attack. Especially in DAOs or Open Source projects where everyone can contribute.

The August 2022 attack targeted Phantom, Slope and Trustwallet users. None of these companies believe it to be “company specific” which is corporate speech for “yeah, we used a dependency that was exploited — not our fault”.

And while that’s true to some extent, you better make sure audit any dependency that has the capacity to access and read private keys.

I’ll update this article as I find out more about the current Solana hack, so check back in, in a few hours or so.

And remember, revoke wallet access for all dApps for now. Stay safe.

Sign up to Aesir | Join the Discord


Thank you for reading!

Enjoyed this article?

Sign up to the newsletter

You’ll receive more guides, articles and tools via e-mail. All free of course. But if you value this blog and its educational resources, you can subscribe to become a paid member for only $3 a month. This will keep the website open and free.

Leave a Reply

Your email address will not be published. Required fields are marked *