a massive hack targets a wallet on the Solana blockchain

Solana’s blockchain was targeted by a major hack from the night of Tuesday to Wednesday. The weak link is called Slope. It is a Solana compatible cryptocurrency wallet on mobile that also offers a browser extension to access decentralized blockchain applications. At this time, according to estimates, about 8,000 wallets have been stolen, for a loot worth between 5 and 6 million dollars.

the mobile wallet is at the heart of hacking

The exact vulnerability has not yet been identified, but it appears that Solana’s blockchain code is not the culprit. These are the private keys of the compromised Slope wallets – wallets that have been inactive for more than six months, it seems – that would be transferred to a third party.

To understand the extent of this hack, let’s go back to how a cryptocurrency wallet works. It is a software that stores a user’s public key and private key, the two elements that allow transactions to be carried out on a blockchain: sending and receiving. These keys have the form of fairly long alphanumeric sequences that are difficult to memorize, which means memorizing them. The public key is the one shared during a transaction, a bit like a RIB. The private key is the one that acts as a signature or personal identification and must in no case be transmitted to third parties.

private keys that should be protected

Slope is an application that in cryptographic jargon is called “non-custodial wallet” or “non-custodial wallet”, meaning that the private key is not stored by the software, unlike the “custody wallets”, offered for example by the main cryptocurrency markets, which store the user’s private key. Which is simpler but considered less secure. The prevailing adage in the world of cryptocurrencies is in fact to say that if you don’t have your private key, you don’t have your cryptocurrencies.

A priori, we can therefore assume that the private keys were safe on Slope. But there is another discriminating criterion between the different types of portfolios. This is the distinction between “hot” wallets, “hot” wallets connected to the Internet and “cold” wallets, “cold” wallets that are not permanently online. Slope is a “hot wallet” and as such it is still vulnerable. In any case, the private keys would end up in the hands of the cybercriminals.

This hack is good advertisement for “cold” hardware wallets, such as Ledger. And a reminder of the complexity of accessing transactions on the blockchain, if only to know what kind of wallet to use.

Leave a Comment