🎁 Special Edition: Solana’s $5 mn HACK

Gm, this is the doodhwala, your G-friend in the cryptoverse. In the bear market, G stands for Gareeb. 🥲

Today we cooked something special for yas! 🥘

Crypto is full of scams. And mainstream media dunno how to cover it.

They give you the headlines like:

😕 Hackers Steal About $600 Million in One of the Biggest Crypto Heists

😣 Nomad token bridge hacked in nearly $200 million exploit

😭 Fake doodhwalas mixing panni with doodh: Report

But never the deets.

At the doodhwala, we’re all about the deets.

So, we’re launching doodhwala’s Hacky House Of Horrors where we breakdown the haunted side of the blockchain.

This week we explore the haunted Hacker House of Solana.

This involved:

• $5.4 million lost

• 8k Solana users affected

• Multiple wallets compromised

• An Apple-Android blame game

This week’s Hacker House of Solana is written in collaboration with Siddharth Rao, a researchooor at Buidlers Tribe.

Give him a 👋 and let him know the doodhwala sent ya

Wallets go poof

At 11PM UTC on August 3rd, crypto from various wallets on the Solana Network started to disappear.

And Jaadu had nothing to do with it.

How many wallets were drained?

Around 8000

How much total value was lost?

Just about $5.3 million (Rs 42 crore)

No one knew what was happening.

Was it a hack? Was it a bug? Or was it the ghost of Satoshi Nakamoto?

All we knew at the time was that USDC and SOL funds were being transferred to a random address.

Okay, like, so what actually happened?

At first glance, it looks like — Phantom and Slope wallets — were hacked.

The only common thing between the two is the Solana blockchain. 💡

Fun fact: Solana has a history of security breaches, and everyone thought this is prolly a mistake on Solana’s end.

Sounds pretty straightforward, right?

This is like me when I assume every Ram Gopal Varma movie will be 💩

Congratulations, you (and I) have been victim to a bias where you chose correlation > causation

The correlation might have fooled millions but let's dig deeper and see what might’ve caused this entire fiasco.

Adam Cochran started an investigative thread, that we followed.

Many victims of the hack gave out the nature and the location of their wallet drain.

Here’s what we noticed:

One thing we can be sure of is — it was definitely due to compromised private keys.

How do we know this for sure? It is because all the transfers were approved by the “wallet owner”, i.e someone who knows the private key.

None of the transfers were carried out by smart contracts, while all of them were carried out by the wallet addresses of the victims.

This is like someone reading your Instagram DMs because they know your password and wanna stalk their ex 👀

The liquidations of the wallets might’ve been carried out by bots, but it definitely was due to private keys being compromised.

So, first question — how did the attackers get this data?

There are only two types of parties who know the private keys to a wallet:

• The owner of the wallet (because duh!)

• Wallet provider (to verify the wallet owner and to allow the owner to interact with the underlying chain!)

Now I’m pretty sure that 8k random users didn’t just decide to give out private keys to someone to drain their wallets and then go complain on Twitter.

This definitely had to be an attack on the wallet providers who are the other parties that held these keys. Most of the wallets that were compromised were Phantom Wallets. (clue #1)

Tbf, Phantom immediately opened an investigation into how and why that happened.

The pattern wasn’t obvious at first. There were both high and low-balance wallets that were compromised. Wallet lost:

• only SOL

• only stablecoins

• SOL + stablecoins

It was later realized that the Phantom wallets that were compromised were not due to anything on Phantom’s end. The same mnemonic phrase (those 12-24 words that generate the private key) was imported into another Solana wallet provider called Slope. (clue #2)

To all the crypto newbies, you can have the same private key imported into different wallet providers. It’s like having one master bank account and you can interact with the same account through an Axis Bank and an HDFC Bank account (yuck banks, amiright?!?)

It is believed this was a breach on Slope wallet’s end, where the attackers retrieved all the private keys and drained the wallets.

So, second question — how can we be sure?

Tbh this could’ve been a coincidence. What data point actually confirms this breach?

Check out this tweet below:

This shows that the private key compromise happened on — the Slope wallet.

Why?

Because the same seed phrase (mnemonic phrase) was used on wallet provider TrustWallet (on Ethereum) and even that wallet was compromised (clue #3)

So, the third question — why the hold up in this investigation?

The first victims to raise their hands were all iOS Phantom users. 📱

This made investigators dig into iOS docs and Phantom repositories to look for any vulnerabilities.

Toly or T-dawg as the doodhwala calls him (co-Founder of Solana) blamed iOS for being compromised with these seed phrases because lazy users are notoriously famous for storing their seed phrases in their notes and their photo galleries.

This was quickly debunked when Android users slowly started emerging as victims of the same crime. bruh

It was pure coincidence that most Phantom users were iOS users!

Phantom and Solana jointly investigated the location of the compromise and both stand their ground in blaming Slope wallet for this entire debacle.

A lot of us fell for the correlations that:

• It was Solana’s fault because: Hey! It has a bad security track record!

• It was Phantom’s fault because Phantom wallets were hacked!

• It was iOS’s fault because the initial victims who came out all had iPhones!

The attackers started dumping $SOL and created further FUD for other $SOL hodlers amid this screw-up and it hurt the price of Solana bad!

SOL crashed by 17% after this whoopsie losing about $2 billion in market cap. This just $16,000 crore so nbd.

So, what can we learn from this?

Scams suck, but we can learn from them and ofc laugh about them.

We’ve already given you the giggles up top. So, let’s look at the learnings:

• Sometimes it ain’t users’ fault. Shit can happen.

• If you don’t wanna hold onto funds, keep them secure in cold wallets

• If you want insurance against such attacks, use custodial wallets that provide insurance (although no guarantee that they wont be compromised)

• Don’t use random wallets you don't research yourselves

• Continue reading the doodhwala for suraksha tips

If you want more doodh alpha, be sure to follow us on Twitter (@DoodhwalaDaily)

That’s all for today bhaiyo aur bheno! Naale Sigona!

Aakash "Dahi Cheeni" Athawasya & Arvind "Doodh Peda" Krishna

Yo! Our legal and financial advisors (aka our good ol’ conscience) have asked us to add this boring disclaimer.

None of what you read here is financial advice. We aren’t here to get you to buy or sell a crypto. We’re only here to tell you what’s up in crypto today and make you laugh. So, if you screwed up on a trade, that’s on you G. Stay safe in the markets.