Last week, millions of dollars were hacked from Solana’s SOL/USD ecosystem. While its blockchain wasn’t hacked directly, hackers were able to drain funds from Solana wallets.
It’s still unclear exactly how the hackers were able to access the funds, but it appears that they were able to do so by uncovering users’ private keys. Private keys are stored by users to keep their digital assets secure and the keys give access to send and use these digital assets.
What Happened: Benzinga chatted with Polkadot DOT/USD Ambassador Bryan Chen about the Solana wallet hack and how to prevent hacks like this from happening. Chen is also the founder of the Acala Network, which is part of Polkadot.
One unique aspect about Polkadot is Kusama, its financially driven network that acts similarly to a testnet before going live on Polkadot’s mainnet.
Chen explained what happened to Solana. “The full picture of this is still not clear. This is a private key leaking issue instead of a smart contract or protocol bug. Exploiters were able to use stolen private keys to generate valid transactions to transfer assets from the victim’s accounts,” Chen said.
“People have identified that Slope is leaking user seed phrases in plaintext to external analytic services which are responsible for around 30% of the stolen accounts. How the remaining ones are still being exploited is an unsolved mystery. People are suspecting this could be related to insecure upstream dependencies used by mobile wallets.”
Hiro Systems Chief Technology Officer Diwaker Gupta added some context. Gupta leads the development of Hiro, a developer tooling kit to build apps on Bitcoin’s BTC/USD blockchain.
Gupta said other Solana wallets may be affected by the hack if the same private keys were used.
“What’s known so far is that the Slope wallet was logging public keys that made their way into a third-party system (Sentry). Someone likely got access to those logs and started draining the wallets,” said Gupta. “If folks used those same keys on other wallets — for example, Phantom — those wallets were also at risk. What’s not clear is exactly how someone got access to those logs.
“It’s also not clear what the full extent of the attack is. For example, it’s possible there are compromised keys that haven’t been used yet.”
Both Chen and Gupta asserted the importance of open source code, especially when it comes to owning digital assets in this new landscape. Gupta emphasized that Web3 is about eliminating trust, yet trust is necessary if code isn’t readily available to audit.
“Neither Slope nor Phantom are open-source. It’s impossible to prove, but it’s fair to say that had the code been open, it’s highly unlikely such a bad logging practice could have made it into production; and even if it did, it would have been diagnosed and fixed much much faster,” Gupta said.
“More generally, if you’re going to entrust your assets to some piece of code, wouldn’t you want to know what it does, in a way that can be independently verified by anyone, rather than relying on some opaque entity saying ‘trust us’?”
Chen then clarified how hacks like this can be avoided in the future. He explained the importance of open source wallets, something that’s common practice on both Polkadot and Ethereum ETH/USD.
“There are multiple things that could have been done to avoid this issue,” Chen said. “Firstly is having an open source wallet application. This would allow everyone including security researchers and users to examine the application’s source code to check if it is secure amd safe.”
Chen added: “Web3 is about trust but verification is the important part. People need to question any closed source project that is claiming to be decentralized because that’s simply impossible. It is very hard for non-technical people to actually verify some technical aspect of an application or a protocol.
“One of the reasons why it took so long to identify the root cause of this exploit is because the Slope wallet is not open source, so researchers require a lot of time to reverse engineer the wallet application to identify issues.”
Wallet Improvements: Chen touched on how the wallets could have been improved to mitigate the risks of hacks happening. He also mentioned the importance of using a cryptocurrency hardware wallet. Hardware wallets store private keys offline, adding a layer of security software wallets can’t provide.
“Last but not least, people need to use hardware wallets when handling significant amounts of funds. Hardware wallets are one of the most cost-effective investments to increase the operational security of crypto accounts,” Chen said. Gupta echoed this sentiment.
Polkadot and Kusama — How They Work: Chen talked about the architecture of Polkadot and Kusama, and how the Kusama network helps mitigate the risk of something like this happening on Polkadot.
“In this particular case, the bug exists on wallets instead of the blockchain or smart contracts. The network doesn’t really make too much of a difference here, but people are expecting applications to be deployed for Kusama first and then brought to Polkadot after, once it is proven secure and safe,” Chen said.
“Users are less likely to put their life savings into new applications on Polkadot unless they know it is battle-tested on Kusama first. In this case, technically capable people should be responsible for helping with education and sharing their findings. In this way, we can help raise the quality of this industry and hopefully reduce the number of critical bugs.”
Blockchain Trade-offs: Gupta also brought to light the trade-offs when it comes to using different blockchains. Although “next generation” blockchains have greater transaction throughput and quick speeds, they often sacrifice decentralization and security in order to provide these benefits.
“This incident is just another reminder that it’s important to carefully consider the trade-offs that are sometimes at odds with one another: security/decentralization versus speed/convenience,” Gupta said. “For instance, on Stacks, all contract sources are published on-chain. We’ve heard first-hand from developers how that puts pressure on them to write better quality code, and also makes it easier for them to learn from proven contracts, best practices and design patterns.”