Is it safe to use Solana?

It is not suddenly less safe to use Solana despite the recent bad press it has received. This blog post will explain why.

Humans have always had a predilection for symbology; the most ancient symbols could be described as the earliest memes. Cryptocurrency markets richly reward those who can predict which symbols and memes will be popular and when. There are many millionaires walking this planet today whose life changing investment thesis was “dog coins good”, executed at an opportune moment. Symbols of the sun and the moon have always been popular, so it was probably inevitable that a sun coin (Solana) and a moon coin (Luna) rose in the market capitalization ranks so quickly.

More seriously, Solana is a blockchain that emphasizes transaction throughput above everything else. Due to its fast transaction confirmations and cheap transaction fees, it has attracted one of the larger user bases amongst major blockchains. With the implicit and explicit backing of FTX Exchange, Alameda Research, and Jump Crypto, Solana was even able to negotiate integration of its blockchain into major platforms like Instagram and Opensea.

As markets corrected in 2022, Luna imploded spectacularly [JS1] and Solana has been the subject of a steady drip of negative headlines. Network congestion events, during which the Solana blockchain is unusable, are somewhat frequent and can last for hours. We also recently learned that a single developer created nearly a dozen different DeFi protocols on Solana under different assumed identities, in a scheme to rehypothecate and artificially pump-up Solana’s total value locked (TVL) metric by billions of dollars.[1]

These are relatively minor incidents in comparison to the nightmare scenario that began August 2nd, in which thousands of Solana users suddenly had their balances drained en masse. Even addresses that had never interacted with a smart contract were drained, leaving many wondering if Solana private keys had somehow been compromised. So far, more than 9000 addresses have been affected and the attackers had absconded with more than $6mn USD worth of tokens.[2]

It is still not 100% clear what happened yet, but there are enough details available to write this blog post and confirm that it is safe to use Solana because this mass exploit happened at the app level, while the Solana blockchain operated as intended throughout.

The app at the center of the scandal is Slope, a Solana wallet app used to manage addresses that can send and receive crypto. Users would create a new seed phrase, a set of words used to generate and prove ownership of cryptocurrency addresses, or import an existing seed phrase into the Slope app to get started using it. When the Slope app later phoned home to company servers, it included this seed phrase in plain text format in the messages; this is one of the most embarrassing security flaws a crypto wallet provider could expose its users to. Independent testers were able to recreate the issue and see the seed phrases being delivered in plain text in the message payload. [3]

What has so far been confirmed is that at least some of breaches were due to these seed phrases being stored in plain text on servers.  We presume that current investigation involves who had access to these servers and how the other 7779 addresses were drained.[4]

The initial recovery strategy of the Slope team was to ask the attacker(s) to return the funds and retain a 10% bounty:[5]

The deadline has passed and none of the money has been returned but the address has been sent multiple NFTs of questionable value.[6]

The Slope team has not yet provided a conclusion or breakdown of what has happened, presumably because they are still investigating. No other apps appear to be affected, unless the seed phrase imported to it was originally generated with the Slope app. If you have funds stored on addresses linked to a seed phrase created in the Slope app, immediately create a new seed phrase with a different app and send all funds to new addresses generated with it.

Solana is not suddenly less safe to use after this event. Seed phrase data from an app was exploited, which is not a Solana-specific issue. In any case, the safest option to store your cryptoassets is generally on a hardware wallet or with a regulated custody provider. Only keep small amounts that you are willing to lose on mobile wallets like Slope or Phantom.

[1] https://www.coindesk.com/layer2/2022/08/04/master-of-anons-how-a-crypto-developer-faked-a-defi-ecosystem/

[2] https://dune.com/tristan0x/solana-hack-3822  

[3] https://twitter.com/0xfoobar/status/1554928011669118976

[4] https://twitter.com/slope_finance/status/1555100731706949639          

[5] https://twitter.com/slope_finance/status/1555653747077877760          

[6] https://solscan.io/account/DyQ96GwjkHkGSzYEB4NaPk2NxsXyRTMNHKJQd3fziABf