The Blockchain Newsletter #11

Solana Wallet Hack Explained

The Solana crypto community was rocked earlier this week by what appeared to be an unsolvable hack that stole about $4.5 million in SOL from the wallets of thousands of users. According to an initial estimate by the MistTrack team, 8,000 wallets were affected, and the money from those wallets was being transferred to four addresses that belonged to the alleged perpetrators. It was estimated that 15,200 Solana wallets were affected.

The MistTrack team also calculated that the total losses could have reached $580 million if the calculations took into account the value of a mysterious token called EXIST that was also taken by the hacker.

Early on in the exploit, the PeckShield team had identified a supply chain problem affecting some Solana wallets as the most likely culprit. They continued by mentioning TrustWallet and Slope Wallet as potential victims. They concluded from their analysis that the attacker had discovered or stolen the private keys belonging to users of particular Solana wallets.

@0xfoobar, a member of the crypto and DeFi communities, also focused the issue on a supply chain problem that exposed private keys. He discovered that users of the Phantom and Slope wallets who had not used them in over six months were impacted by the hack. He advised Solana owners to move their money to a hardware wallet or a crypto exchange wallet since those wallets didn’t appear to be impacted by the issue.

Through their respective CEOs, Binance, OKX, and KuCoin cryptocurrency exchanges also advised Solana holders to move their SOL to the three platforms for security while the issue’s root cause was being looked into.

Engineers from Solana investigated the problem as well. They came to the conclusion that the issue wasn’t a flaw in the Solana core code, but rather a flaw in the software utilized by well-known third-party SOL wallets. They advised Solana owners to move their SOL to hardware wallets because those devices didn’t appear to be impacted by the bug.

What Went?Wrong?

Numerous answers started to emerge as investigations to identify the problem’s primary cause got more intense. First, the OtterSec team independently verified that users of Slope Wallet were impacted. Slope’s mobile app transmits private key mnemonics from their investigations to their central Sentry server using TLS. The mnemonics are then saved in plain text, making users’ private keys accessible to anyone with access to their Sentry server.

Second, Solana engineers discovered that Slope Wallet users’ funds were compromised as a result of the private key information being somehow transferred to an application monitoring service. Thirdly, the wallet’s developer, Slope Finance, explained in a Twitter statement that they had eliminated the server-side logging that might have allowed access to their Sentry server. They came to the conclusion that 1,444 of the 9,233 wallets affected by this weakness could be identified.

What Was At?Stake?

The exploit, though, might not have been exclusive to wallets built on the Solana platform. Adam Cochran, a partner at Cinneamhain Ventures, asserts that users of the Trust Wallet who had assets based on Ethereum might also have been impacted. However, given that MetaMask is the preferred wallet for the majority of Ethereum users, their numbers were noticeably low.

In order to help with the investigations, he urged any Ethereum user who may have lost money as a result of the hack to get in touch with him right away.

Some Solana White-hat Hackers Fought?Back.

They deployed a script that would try and ‘write-lock’ the attacker’s accounts, slowing their transactions down’. The method slowed down the attacker, but it resulted in several Solana RPC servers crashing.

According to the Slope wallet team, they are “still actively diagnosing” the problem and “committed to publishing a full post-mortem, earning back your trust, and making this as right as we can.” The Solana team also stated that “engineers from across several ecosystems, in collaboration with audit and security firms, continue to investigate the root cause of an incident that resulted in the draining of approximately 8,000 wallets.”

Slope advises its users to transfer money to a fresh wallet, which they should create with a new seed phrase. Hardware wallets, which have not been impacted by the hack, are also advised for keeping assets secure in the face of the potential persistence of the exploit situation.

Instagram Expands NFT Initiative To 100 Countries, Includes Flow Blockchain

Meta announced that Instagram is expanding its NFT initiative to more than 100 countries and adding support for NFTs made on the Flow blockchain. As a result, the FLOW token is currently pumping. According to data from CoinGecko, FLOW has increased by almost 44 percent in the last few days, with almost all of that increase occurring since Meta’s announcement this morning.

Thanks to Instagram’s growing integration, collectors can now display their verified Flow NFTs on their Meta account. The initiative was first made available to a small group of users in the United States in May, and it has since been made available to nations in Asia, Africa, and the Middle East as well. The feature enables users to choose which NFT collectibles to display and connects a supported crypto wallet to prove ownership of those items, with the owner and original creator of the item being automatically credited alongside it.

Tinder To Abandon Its Metaverse Entry?Strategy

The parent company of the widely used dating app Tinder, Match Group, has made the corporate decision to temporarily stop investing in the metaverse and digital token industries.

In a publicly released Q2 letter to shareholders, Bernard Kim, the newly appointed CEO of Match Group, acknowledged that a “metaverse dating experience” has the potential to “capture the next generation of users”?, but he cited concerns about its usability and adoption rate as reasons for retreating to reflect at this time.

XRP, SOL, and ADA Withdrawals Will Once Again Be Accepted by Zipmex for Z?Wallet

In its Z Wallet, Zipmex is re-enabling withdrawals for all user funds, but only for a small number of alternative coins. The South Asian cryptocurrency exchange said it will make available all user SOL balances today, all user XRP balances on Thursday, and all user ADA balances on August 9 in a detailed statement released on Tuesday.

The three assets were “unaffected” by Zipmex’s liquidity crisis last month despite being among the top 10 cryptocurrencies by market cap right now. When customers will be able to access market-dominating assets like Bitcoin, Ethereum, and stablecoins, on the other hand, is still unknown.

Robinhood Fined $30M by New York Regulators

The New York Department of Financial Services has fined Robinhood Crypto $30 million. After conducting an investigation, the department came to the conclusion that the company had not adhered to its obligations regarding anti-money laundering and proper cybersecurity measures. The department’s rules for virtual currency, money transmitters, transaction monitoring, and cybersecurity were found to be broken by Robinhood Crypto.

In addition to paying the fine, Robinhood Crypto will also be required to hire a third party consultant to assess its compliance with state laws, the regulator said in a statement. The business was also criticized for not listing a specific phone number on its website that allowed users to file complaints.

The Waves Community may return $500 million in lost DeFi?funds

Following the depegging of the Waves stablecoin USDN back in April, the Waves community has decided to restart the non-custodial lending protocol “Vires Finance.” At that time, the dollar-pegged cryptocurrency lost millions of dollars in value for its owners when it dropped as low as $0.68.

Investors were unable to remove their money from the Vires as the contagion spread to Waves and Vires.Finance. $500 million was lost thanks to Finance, a lending platform similar to Aave or Compound. By passing a vote and launching the so-called DeFi Revival Plan, governance token holders hope to revive Vires Finance and recover lost funds.