Short Brief:

Starting late in the evening of August 2, 2022 (US time), various organizations that monitor events in the crypto industry started tweeting about a relatively large-scale Solana hack.

After investigating, engineers across several different networks have determined that the recent hacking incident was not caused by a bug in the blockchain's software code. It has been determined that the attack was possible because of vulnerabilities in the software wallets (basically Phantom and Slope) that are popular within the Solana ecosystem.

According to the analysis, it appears that a third party has accessed the private keys, and in this case, Solana has no means of distinguishing between the real and fake owners.

The attack affected hot wallets (Phantom and Slope) that are connected to the internet. This inevitably spurred a debate about whether one should ever use internet-connected wallets over hardware ones, given the existing security pitfalls.

Initially, the root cause of the attack remained unclear, and some suspected that other blockchains may be affected as well.

Some ppl just advised Phantom users to transfer their assets to a safer platform such as cold wallets or centralized exchanges.

Based on the above data, the total number of Compromised wallets is 10.68k Unique Wallets (including my friend…)

The total stolen USD volume during this hack is $5.47M USD And the total number of unique assets that were stolen is 228 tokens.

Based on the left chart, we can see the stolen volume of USDC is more than other assets and after that, on the second rank, we have SOL token as the most stolen asset in terms of volume.

We can see almost 80% of the total stolen volume belongs to these 2 assets.

And based on the left chart, we can see most number of wallets have lost their SOL token and on the second rank we can see wallets who lost their USDC.

The huge difference between SOL and other assets shows that stolen SOL volume was not very high because based on the previous chart, USDC volume was higher than SOL despite the number of victims who lost their USDC is way lower than the number of wallets who lost their SOL token.

On the left chart, we can see the distribution of stolen volume based on the Hacker wallet address.

As we see, most stolen volume (almost 70% of total stolen volume) were transfered to the Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV address.

On the left table, you can see the full list of stolen assets and their stolen volume.

As we said before, USDC has the most stolen volume among others and SOL and USDT are on the next ranks.

On the left chart, we can see the hourly volume of stolen assets over time by their destination address (hacker wallet) and also the assets that have been transferred.

As we see, the interesting result is that the highest volume of stolen assets has been achieved during the first 2 hours of the hack process before starting of the 3rd of August.

As we saw before, the highest volume of assets was transferred to the Htp…wxV wallet address.

Also, despite number of transfers that has the highest numbers for the first 7 hours, we can see after the first 2 hours, the volume of transfers have decreased dramatically.

So, we can maybe conclude that hackers had some plans before the hack process to steal the highest volume of assets from high-worthy wallets in the first hours of the hack process.

On the left chart, we can see Cumulative volume of stolen assets during the hack process.

On this chart we can see that highest volume of transfers achieved during the first 2 hours of hack process (as we saw on the previous chart) and the impact of their high volume transfers is clearly visible on the chart especially for htp… and also cez… wallet addresses which have received the highest stolen asset volume.

Also, the only wallet that have been active after 3rd August is CEz…iEu and there are no more transfers for the other 3 wallets after this date.

On the left chart, we can see the cumulative volume of stolen assets over time and as we said before, USDC and SOL are by far the most stolen assets during the hack process.

the interesting thihng is that all USDC volume was stolen during the first hours of hack process since we can not see any trace of stolen USDC after the first hours.

On the left chart, we can see top 10 compromised wallets based on their financial loss.

As we see, 7DBK3Mz1MxrTXVVwfJBk9aDQ9Wc5nwG3qa3K8rqeoaHX has lost the most volume of assets during this hack process by far with more than 491kUSD!

After that and with a big difference from the top victim, we can see Exi964mWHtpazeVMo4nuEjeYzxRzo1ANt5yyREXvBRFc address with the second highest stolen volume (More than 249k USD)

On the left chart, we can see the most number of Victims have lost only between 10 to 50 USD. After that, we can see users who have lost between 100 and 250 USD.

about 5% of wallets lost more than 20,000 USD.

Summary and Conclusion

To sum up, the hack process started on August 3, 2022, and has continued for like 2-3 days. The hackers have not so many previous & post activities within the Solana chain.

This incident highlights the severity of cryptocurrency theft, which has an impact on individuals and the wider community. However, Even though it's difficult to trace and identify the movement of stolen assets, centralized projects such as exchanges should have a responsibility to establish and implement robust security measures to prevent the laundering of stolen cryptocurrency. It's essential for the industry to collaborate between centralized and decentralized systems to improve security practices and tackle the growing threat of cryptocurrency theft.

Ultimately, the analysis concluded that such an attack could affect any network, not just Solana. So, users should make sure their assets are always secure by holding the high volume in safe places such as hardware (cold) wallets. Moreover, they should be always aware of news and events about their asset to make sure perform the correct action in the first moments of exploits like this.

Based on the above analysis:

• The total number of Compromised wallets during the Solana hack process on August 2022 was 10.68k Unique Wallets and The total stolen USD volume during this hack was more than 5.47M USD.
• The most volume of stolen funds belongs to the USDC and SOL assets.
• The most volume of stolen assets occurred during the first 2 hours of the attack.
• The Most number of transfers related to the hack process occurred during the first 7 hours of the attack.
• The exploit wallet address Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV has stolen the highest volume of assets.
• The victim wallet address 7DBK3Mz1MxrTXVVwfJBk9aDQ9Wc5nwG3qa3K8rqeoaHX has suffered the highest financial loss (more than 478k USD)
• Most victims have lost between 10 to 50 USD during this hacking process.
• The activity of Victim wallets on the Solana ecosystem has decreased significantly after being hacked. Maybe they totally left the Solana ecosystem because of its several hacks and halts and maybe they have changed their wallet and created another account on Phantom or other web3 wallets.
• Phantom deployment program was the most program used by compromised wallets after being hacked and this can be because they wanted to transfer their assets out of their compromised assets. Other programs such as Magic Eden NFT marketplace and Swap programs such as Jupiter, Raydium, and Serum were among the top first destination of victims.
• The activity of transfers to the Centralized Exchanges (as a safer platform in order to not be at the risk of the hack) has increased significantly during the hack process.

**Discord: Ali3N#8546 Twitter: Alik_110 Email: Alik110.72@Gmail.com Check out My Other Dashboards at: **

Methodology:

Based on the official Solscan tweet, there are 4 wallet addresses related to the hack transactions:

• Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
• GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy
• 5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3
• CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu

For detecting the exploit transactions, we should analyze the transfers that their destination is 4 above wallets and have been done after 1 August 2022.

So, based on the above facts, I am going to:

• Calculate the total number of victim wallets.
• Calculate the total stolen volume in USD.
• Calculate the total number of stolen unique assets.
• Analyze the stolen assets and their number and value.
• Analyze 4 exploited addresses and their stolen volume.
• Analyze top wallets with the most financial loss.
• Analyze the distribution of wallets based on loss funds.
• Calculate the age of compromised wallets (at the time of the hack)
• Analyze the activity of victims after being hacked.
• Some Hack-Related and Post-Hack actions made by Hackers.

The main table That I have used for this bounty is Flipside’s solana.core.fact_transfers.

P.S: I have always wanted to perform an analysis of this attack because one of my closest friends was a victim and he lost more than $1000 USDC and SOL … . So, Now and thanks to the MetricsDAO fund recovery initiative, I can reveal some information of this and let’s hope to help trace and shed light on hacked funds and realize where those funds are sitting.

Overall Hack Stats

Stolen Assets

Hourly Over-Time Stats

According to the left chart, the most number of hack-related transfers were done with 10$ - $100 volume followed by transfers with Less than $10.

However, there were 1465 transfers (7.95%) that were done with more than $10000 volume!

Victims

As mentioned earlier, the total number of compromised wallets during this hack process was 10.68k Unique Wallets (including my friend…).

Based on the left chart, the average wallet age of victims (at the time of hack = 2nd August) was 209 days.

Also, we can see the majority of victims’ wallet had 6 months - 1 year age at the time of the hack process.

Also, there were 4.36% of wallets that had only less than 1 week age (poor newbies!)

According to the left charts, the activity of victim wallets after the hack on Solana ecosystem has decreased significantly. We can see during the weeks before the hack and especially during recent days before hack, the number of transactions and also active users (victims) on Solana ecosystem was quite high and was increasing more and more over time but after the hack process, we can see sudden significant decline in their activity over Solana ecosystem.

We can conclude that maybe some of these wallets have totally left Solana ecosystem because they lost their trust in this blockchain due to its continous hacks and halts. Or maybe some of these victims, have totally changed their wallet addresss (creating another account on Phantom or other wallets). There are only some of them who have continiued using their compromised wallet after the hack date.

On the above charts, I have analyzed the top 10 FIRST activity of victims (the first Solana program that interacted with) after being hacked.

As we see, The majority of these users have interacted with Phantom Wallet Deployment Program. based on the phantom docs, When transferring SPL tokens, Phantom will first double check that the owner of the receiving token account is the address you expect to send to. To do this, Phantom calls a custom deployment of the Serum Assert Owner program. The program address of this deployment is DeJBGdMFa1uynnnKiwrVioatTuHmNLpyFKnmB5kaFdzQ.

So, this means the majority of these users was going to transfer their assets out of their compromised wallets.

On the next ranks, we can see Magic Eden NFT marketplace as the most popular first destination of victims after the hack process and swap programs such as Raydium, Jupiter and Serum are some of the other destination of victims.

As mentioned in the brief section, some ppl including CZ (Binance Exchange CEO) have advised victims or non-victims who were at risk of the hack, to transfer their assets to a more safe platform such as Cold Hardware wallets or Centralized Exchanges in order to be safe from the hack process.

So, On the left chart, We can see the daily number of transfers to Centralized Exchanges by both victims and non-victim Solana users over time (from 1 month before the hack process til 1 month after the hack).

As we see, the activity of transfers to CEXs has increased significantly especially on 3rd August during the hack timespan.

Hackers’ Transactions’ Details Behavior

According to the above tables, Phantom hackers had not so many post-hack activities within the Solana chain. Maybe this is because they are carefully monitored by the community for any suspicious activity.

They had some incoming transfers to them but their outgoing transactions is so low after the hack process.

Anyway, 4JfXWXd2aenLncrdpJcryX8kZVJUSHyGPnc6HSyhA2Es is one of the main destinations of these hackers but this address also has not had any outgoing activity and just received some funds from hackers.