Phantom wallet is safe, despite speculations it may have been compromised as part of a Solana supply chain attack. Solana users were exposed after malicious code was injected into a Web3 JS library for Solana.
Phantom wallet announced that it was not affected by the Solana supply chain attack, which was discovered in one of the open-source Web3 libraries. The wallet did not report any exploits on its side, although an unknown number of users may have been affected. The wallet itself does not use any of the compromised versions.
Phantom is not impacted by this vulnerability.
Our Security Team confirms that we have never used the exploited versions of @solana/web3.js https://t.co/9wHZ4cnwa1
— Phantom (@phantom) December 3, 2024
Solana builders and users may have been exposed to two malicious versions of web3.js, 1.95.6 and 1.96.7. The earlier version is safe, as well as an upgrade to version 1.95.8.
The attack was noticed on December 2 and it affected apps, bots, and custodial services. The widely used library contained code that requested and broadcast private keys, thus compromising user wallets.
Based on the records of the Anza development firm, the account was exposed for around 5 hours on December 2, which limited the number of potential downloads during that time window.
The suspected versions were immediately unpublished, but apps and projects may have their multisig or other credentials exposed.
For now, there is no data about any major Solana apps or accounts changing their wallets or storage. The last transaction to the exploiter wallet was from December 3, further suggesting the exploit affected a limited number of users.
In the meantime, one of the identified wallets is moving funds to a new account with a high balance of SOL and other assets, including Jupiter (JUP). The new account has been identified as a high-balance wallet by Nansen. None of the proceeds from the hack have been traded or disguised, as with other hacks.
Limited gains from Solana wallets drained in exploit
While far-reaching, the attack did not seem to affect high-value wallets. The identified exploiter wallet withdrew around $160K in SOL and nine tokens valued at $31,300. The attacker ended up testing wallets with billions of transaction requests, suggesting there may be many more unknown affected wallets.
One of the reasons for the limited exploit haul is that the Solana network still has more than 35% failure rate for its transactions. However, the attempts suggest the exploiter may have gained more private keys through exposed apps.
The attack happened through a social engineering attack, which allowed the malicious actors to gain access to the web3.js library depository. Reportedly, the project’s builders received a phishing link where the attackers requested and gained access. The malicious dataset has been flagged and is available for researchers through GitHub.
Supply chain attacks emerged in the past year, with Lottie player also used as a vector to gain access to wallets. However, a direct targeting of private keys is a more rare type of attack. In the case of Solana apps, the exploiter managed to obtain private keys since some apps also required the same information for legitimate purposes.
While most Solana apps have proven safe, the recent influx of new retail users is exposing some of the potential vulnerabilities.
Responsibility for code dependencies and usage lies with projects. With fast building, the web3.js library has been downloaded more than 350K to 400K times in a week, leading to wider potential exposure.
Solana wallet attacks are a key risk
Solana drainers are becoming more active, and one of the few things that prevents bigger exploits is the fact that most wallets still contain under 1 SOL.
One of the risks is that once exposed to a drainer, a Solana wallet is always at risk. Solana wallets also cannot revoke their permissions as in Ethereum.
The Solana network is still not as heavily exploited as Ethereum, but has a prevalence of attacks against personal wallets. One of the vectors include Telegram, which can be connected to a Solana wallet for bot usage or easier trading.
Using the same Telegram credentials also means that the wallet may be exposed and drained by malicious apps. The best approach is to use a dedicated wallet for storage, and another one for Web3 tasks.
A Step-By-Step System To Launching Your Web3 Career and Landing High-Paying Crypto Jobs in 90 Days.
