A supply chain attack on the Solana network ecosystem recently struck, and while it was contained almost as quickly as possible, some users were left out of pocket. On 3 December, the cryptopunk solana/web3.js attack took a hash of the JavaScript library that allowed a malicious code injection, stealing private key data from users interacting with decentralized apps (dApps).
Anza, a Solana developer team focused on the language, first discovered the breach, noting it found that an account with publish access to the library had been compromised. The attack was exploiting this unauthorized update to inject malicious packages that would steal private key information, allowing the attacker to drain funds to affected dApps.
Solana Attack Did Not Affect Non-Custodial Wallets
Nonetheless, the attackers did not affect any non custodial wallets, i.e., those that do not provide private keys in the transactions. While developers explain that the issue pertains to the JavaScript client library and not the underlying Solana protocol itself, people have already expressed concern about whether this indicates a glaring security flaw.
A staunch Solana supporter, Mert Mumtaz, informed his community that the attack had been dropped quickly. However, he said the case was not related to the security of the Solana blockchain. “What happened really only impacted developers who were able to update their systems within some sufficiently narrow time span,” Mumtaz explained, “as those which use, for instance, JavaScript bots or those that rely on private keys behind their backend systems.”
Major Solana based projects do not seem to have been targeted by the attack. Phantom, the most popular Solana wallet, informed us that it’s never used the compromised @solana/web3.js versions, so Phantom users are safe. According to the Backpack exchange, the exploit didn’t impact their platform.
However, some investors still lost a considerable amount. Pseudonymous DeFiLlama developer 0xngmi tells Cointelegraph that based on on-chain data the attack had led to the loss of some $160,000 in stolen assets, almost entirely in SOL. In addition to SOL and other tokens worth over $161,000, the attacker also had a linked address worth more than $31,000 in other tokens.
While the losses are noticeable, 0xngmi believes the damage could have been much worse. More destructive than other recent high-profile attacks on private key holdings, including last year’s Ledger hardware wallet breach, the attack was specifically directed at rendering private keys useless. That time, attackers swapped out a library for an infected version and lost more than $610,000.
The Solana community needs to recover from this attack, and we urge users to be cautious when updating their systems and always use verified versions of the @solana/web3.js library.
