On August 2, a hack affecting wallets in the Solana blockchain was announced on Twitter. Several users had funds drained from their wallets without consent. According to a recent post from one of the official Solana twitter profiles, Solana Status, around 8,000 addresses had been impacted as of August 3, and Solana Labs engineers are investigating the root cause of the attack. This hack differs from several other incidents we have seen since the beginning of 2022—which have mainly targeted exploits in blockchain bridges. In fact, the affected wallets—owned by users of the digital wallets Phantom, Slope and TrustWallet, three major hot wallets compatible with the Solana blockchain—had their addresses drained due to the compromise of their private keys. According to data from TradingView, from the time the hack was first announced to midnight August 4 (UTC), SOL, the native token of the Solana blockchain, was down 4.7%, in comparison to ETH, down 1.3% in the same period.
Hot wallets are digital wallets that allow users to easily interact with several blockchain applications, facilitating the use of crypto assets and the interaction with Web3 protocols through a smartphone app or web browser extension. Although this kind of wallet brings a lot of practicality to the average user, letting them easily sign any blockchain transaction with a click of a button, hot wallets store the private keys of the addresses owned by the user on a device usually connected to the internet (a smartphone or a computer where the wallet is installed), which can be potentially dangerous to the security of said data. Any malicious actor that gains access to the device and becomes aware of a vulnerability that the wallet software may possess can potentially access the user's private keys.
As noted by Anatoly Yakovenko, CEO of Solana Labs, the exploited addresses had mostly only received SOL (the native currency of the smart contract platform) and SPL tokens (the token standard for fungible tokens in the network, such as the stablecoin USDC), meaning most of these wallets had never interacted with any decentralized application such as DeFi, and were owned by users likely investing for the medium and long terms. Also, Yakovenko noted that the hacked private keys seemed to have been imported/created in digital wallets for iOS, raising the possibility that the hacker(s) might have been able to introduce malicious code into the iOS wallet libraries to extract the private keys from any user downloading the modified wallet code in their phones.
Solana Status has since then provided an update, stating that “after an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallets.” They further added that the exploit was “isolated to one wallet on Solana” and that “there is no evidence the Solana protocol or its cryptography was compromised.”
At Hashdex, we employ the best-in-class standards for institutional custody, using a combination of cold storage (private keys disconnected from the internet), sharding (private key segregation), and strict governance to offer the most secure and professional custody of the crypto assets we hold on behalf of our investors. Client assets in our WEB311 ETF and HASH ETP, which both hold SOL, are safe from this type of hack due to the stringent custody requirements we place on all our funds. As we have noted in the past, we believe these types of attacks underscore the necessity of institutional custody being a key element of our secure and regulated products.
For more information on how we ensure that crypto assets in our products are protected from hacks and other vulnerabilities, please see our Crypto Custody Primer.
This material expresses Hashdex Asset Management Ltd. and its subsidiaries and affiliates (“Hashdex”)'s opinion for informational purposes only and does not consider the investment objectives, financial situation or individual needs of one or a particular group of investors. We recommend consulting specialized professionals for investment decisions. Investors are advised to carefully read the prospectus or regulations before investing their funds. The information and conclusions contained in this material may be changed at any time, without prior notice. Nothing contained herein constitutes an offer, solicitation or recommendation regarding any investment management product or service. This information is not directed at or intended for distribution to or use by any person or entity located in any jurisdiction where such distribution, publication, availability or use would be contrary to applicable law or regulation or which would subject Hashdex to any registration or licensing requirements within such jurisdiction. No part of this material may be (i) copied, photocopied or duplicated in any form by any means or (ii) redistributed without the prior written consent of Hashdex. By receiving or reviewing this material, you agree that this material is confidential intellectual property of Hashdex and that you will not directly or indirectly copy, modify, recast, publish or redistribute this material and the information therein, in whole or in part, or otherwise make any commercial use of this material without Hashdex’s prior written consent.
Investment in any investment vehicle and cryptoassets is highly speculative and is not intended as a complete investment program. It is designed only for sophisticated persons who can bear the economic risk of the loss of their entire investment and who have limited need for liquidity in their investment. There can be no assurance that the investment vehicles will achieve its investment objective or return any capital. No guarantee or representation is made that Hashdex’s investment strategy, including, without limitation, its business and investment objectives, diversification strategies or risk monitoring goals, will be successful, and investment results may vary substantially over time. Nothing herein is intended to imply that the Hashdex s investment methodology or that investing any of the protocols or tokens listed in the Information may be considered “conservative,” “safe,” “risk free,” or “risk averse.”
Certain information contained herein (including financial information) has been obtained from published and non-published sources. Such information has not been independently verified by Hashdex, and Hashdex does not assume responsibility for the accuracy of such information. Hashdex does not provide tax, accounting or legal advice. Certain information contained herein constitutes forward-looking statements, which can be identified by the use of terms such as “may,” “will,” “should,” “expect,” “anticipate,” “project,” “estimate,” “intend,” “continue” “believe” (or the negatives thereof) or other variations thereof. Due to various risks and uncertainties, including those discussed above, actual events or results, the ultimate business or activities of Hashdex and its investment vehicles or the actual performance of Hashdex, its investment vehicles, or digital tokens may differ materially from those reflected or contemplated in such forward-looking statements. As a result, investors should not rely on such forward- looking statements in making their investment decisions. None of the information contained herein has been filed with the U.S. Securities and Exchange Commission or any other governmental or self-regulatory authority. No governmental authority has opined on the merits of Hashdex’s investment vehicles or the adequacy of the information contained herein.