The Washington PostDemocracy Dies in Darkness

A pair of hacks rattle an already jittery crypto industry

Attacks involving Solana and Nomad have some questioning if crypto’s speed is worth the cost

Solana signage is displayed at a conference in Los Angeles in March. Some users of the Solana blockchain saw their money disappear this week after an apparent hack of compatible wallets. (Bing Guan/Bloomberg News)
Comment

A pair of crypto hacks totaling nearly $200 million in losses and probably affecting more than 10,000 users has prompted worry in an industry already unsettled by falling prices.

On Wednesday, Solana, a popular blockchain and token, said that some wallets that held its assets had been breached. At least 7,700 such wallets are believed to be affected, the company said, while London-based blockchain-analysis firm Elliptic put the amount stolen at $5.2 million in crypto, which includes Solana tokens and the stablecoin known as USD Coin.

“An exploit allowed a malicious actor to drain funds from a number of wallets on Solana,” the company said via Twitter. “Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.”

The hack is believed to have taken hold on wallets such as Slope and Phantom. These are “hot wallets” — that is, wallets that allow for lightning-fast transactions because they are always connected to the internet, as opposed to “cold wallets,” which usually require a USB drive and have long periods of disconnection. Solana — which at one time had the fifth-most-popular token before a slide — has made a name for itself as a blockchain that can transfer funds extremely quickly.

The news follows Monday’s revelation from Nomad, a so-called blockchain bridge, which acknowledged that about $190 million had been taken from it after a hacker infiltrated its system. The attack was known as a “free-for-all,” because the hacker’s original code allowed anyone to copy it and steal the crypto for themselves. It is not known where the money went.

Nomad said its executives were working with law enforcement and a blockchain data firm called TRM Labs to locate the funds, with no update as of Wednesday afternoon. It said they were working on “investigation/recovery” as well as “technical fixes.”

In an unusual move, the company early Wednesday provided an address for anyone who might have chosen to grab the money in a noble act of protection.

“Dear white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens, please send the funds to the following wallet address on ethereum,” it said on Twitter. It is not known whether any good Samaritans took the company up on its offer.

A blockchain bridge allows consumers to swap crypto from one blockchain to another — say, from bitcoin to ethereum — making it vulnerable on what security experts call “both sides,” weaknesses on either blockchain. These bridges also tend to be newer and, in some cases, more hastily designed. In March, another blockchain bridge known as Ronin was hacked for amounts totaling more than $600 million in crypto.

“To date, approximately $1.8 billion has been stolen from these services and it’s worrying that their security standards don’t seem to match the huge amounts of capital being entrusted to them,” Tom Robinson, co-founder and chief scientist of Elliptic, said in an email to The Washington Post, referring to bridges.

Meanwhile, the Solana case has prompted concern because it was made vulnerable by factors out of its control. While some argue the hack does not show that any of the industry’s foundations are shaky — “This wasn’t a core blockchain problem, likely seems like one app someone built was buggy,” crypto mogul Sam Bankman-Fried told Fortune on Wednesday — it highlighted to critics the interconnectedness of crypto networks and the inability of any one part to fully vet all the others.

While the hacks involved discrete entities, blockchain bridges and hot wallets also underline what many crypto enthusiasts say is so appealing about the form: ease of use. The former allows disparate blockchains to communicate — potentially as essential to a coming tech era as, say, people with AT&T and Verizon phone plans being able to talk to one another was to an earlier one.

And cold storage, while safer, would seem to undercut what lies at the heart of crypto’s appeal, which is to allow for transfers without the delays and waits of traditional bank transactions.

On social media Wednesday, many showed images of their wallets suddenly displaying zero balances, while others questioned hot wallets. “So you’re telling me storing my entire net worth on a google chrome extension would be considered a bad move?” one wag wrote of Phantom.

But experts say the issue may be more serious than that. Finding solutions, they note, might mean making sacrifices within the goals envisioned by crypto idealists.

“One of the advantages to opening up the banking system this way is the speed and lower barrier to transactions,” said William Callahan III, a former Drug Enforcement Administration special agent who now serves as director of government and strategic affairs for a company called the Blockchain Intelligence Group. “But what these hacks show is we need to take a step back and question that idea of accessibility, since speed is also part of the problem. We need to balance speed with security.”

Still, Callahan said, he believed such shoring-up was possible. “Blockchain bridges need to step up their protection, while maybe consumers need to use more cold storage,” he added.

The need for speed might be diminishing on its own as some people exit cryptocurrency. Bitcoin, a strong barometer of crypto activity, has lost 50 percent of its value in 2022 as investors have shed the asset, though it has seen a rebound from its sub-$19,000 price in June to hover around $23,000 in recent weeks.

Loading...