I like to be thorough, transparent, and straightforward so here it goes…
It was not a Solana hack. It was a Solana application hack.
Now, you might be asking yourself. What the hell does that mean? Didn’t you just say “let’s talk about the Solana hack“?
Well, I did, but only because that is the clickable topic, the truth though, is that it just was not a “Solana network“ hack, it was a hack on a widely used Solana Application that simply affected a lot of people.
Why did this happen? Solana built an accessible, cheap, and powerful blockchain on which developers could fast-track toward building apps on it. This, however, means good and "bad" developers could build applications on top of it. Just like when the internet came out, there were a lot of good sites, and “bad“ sites, or should I say dangerous sites; more of those around nowadays by the way.
You see, just like you would get hacked on the internet by clicking on a phishing link in an email, or by simply logging into a site that is posing as another site with a very similar URL that you did not notice was different, or even by way of bad luck because you were consuming a service from a provider that was compromised and their data (your data) was stolen and used maliciously and… okay you get the point, quite overwhelming.
As a consequence of Solana’s, cheap, high-throughput, easy-to-build-on blockchain network, many applications have been built since its creation, there is no restriction to build, so there is a big chance that someone builds a not-so-effective, or in this case, a not-so-secure application that ends up being used by a lot of people and those people end up getting affected by the application’s vulnerabilities.
The vulnerable application, in this case, was the Slope Mobile Wallet Application, downloaded by tens of thousands of Solana Users. Its vulnerability you ask? Well, it was sharing wallet seed phrases (not on purpose, of course, developer’s mistake, big mistake) with connected DApps, some of those DApps were breached and a lot of people’s wallet recovery phrases were stolen; like the old saying goes, not your keys, not your cryptos. This means, that people who got their phrases stolen, basically shared their cryptos with whoever stole them.
If any developers could build apps that interact with the Solana blockchain, good and bad, and publish the app, just like you might get scammed by an app promoted on a youtube commercial, you could fall through the insecure cracks of a not robust enough application.
People who got hacked simply got their seed phrases stolen because a badly built application was sending such phrases to the connected third-party apps. A development issue at its core.
There is a reason why Solflare Wallet users, for example, did not get hacked unless they imported their seed phrases (Wallets) elsewhere (Slope).
So, a couple of lessons to learn from this cybercrime or should I say development crime:
Lesson #1: Whenever you connect your wallet to a DApp. Make sure of two things:
How does your wallet treat your keys? (Usually disclaimed in whitepapers & docs)
Is the DApp you are connecting to absolutely secure? (Also determinable through docs & whitepapers)
Lesson #2:
Developers out there... it is our job to build apps that allow for mass adoption through secure infrastructures.
Before publishing your apps, due diligence is needed.
Lesson #3: Users out there...
The blockchain world is wild still, and just like you would train yourself before going into the jungle on your own and facing all kinds of good and dangers, document yourself before going into the blockchain world and its domains.
To conclude:
I am a happy Solana staker and holder.
I have NFTs in my wallet, perfectly safe.
I am a Solflare Wallet user and quite happy
I stake with Figment.io and I couldn't trust anybody more to delegate my SOLs to.
Stop stabbing projects. Make them better.