Eeep... there is news going around of Solana wallets being drained at the moment, roughly 5000 at the moment, and counting up. It is crazily hard to get much information from the noise, but it might be related to either supply-side attacks on code libraries for Phantom and Slope wallets (and there are hints MAYBE of Trust Wallet), or there is another theory that it could be reused nonces that allow attackers to decipher private keys. If it is the first, then this is groundbreaking... as browser extensions and mobile hot wallets were always considered to be incredibly risky places to store keys/seeds, and now we are starting to see the first example of exactly why that is! If it is the second, then it is more mundane and careless... but still disastrous for those affected.

So, I got this news when I stepped off of stage... and I wasn't in a position to do anything about it anyway. It won't be disastrous for me if I'm drained on the Solana chain, but it will sting. But then the space and time that I had gave me time to think and gather more from leading crypto techies about what might have been happening... after all, running around with no plan is not always going to be a good idea... you could make a bad situation much much worse! I also didn't even have a record of the Solana addresses that I was using anyway... so, I couldn't even check to see if I had been hit.

... but thinking back, I only used the Phantom wallet one time anyway... and I think I had used a completely new account (well, I really hope so!) for the hot wallet. I was just testing out the wallet anyway, and it was a long long time ago! So, I'm hoping that the amount of exposure is minimal. Now that I'm hope, I managed to retrieve the Ledger cold wallet addresses that I was using... and on the Solana block explorer, it appears that I have been unaffected (so far...). Most of my SOL is in staking anyway, and there is a 3 day cooldown on that, so I should be able to see that transaction if that was the case. There is a little bit of dust for gas fees, and again, if they drain that... I will know that I'm in for a bit of a fight for the rest of the staked stuff!

It appears that the seed phrases are what were compromised... as wallets are able to sign transactions directly relieving themselves of assets. So, that is pretty damn bad... and it also means that any other keypairs (for all blockcahins) that have been derived from the same seed are also vulnerable!

So, on a personal level... it looks like I'm in a holding pattern, not wanting to accidentally sign malicious transactions or anything... or make things worse. My SOL is staked anyway, so I can't remove it quickly to a cold(-er) wallet. So, sit tight and wait seems to be the order of the day.

Some takeaways from this:

• don't mix seed phrases... it is annoying to have lots of seed phrases, but if you are entering hardware (cold) wallet seeds into hot extensions/mobile apps then you are ruining the security of having a cold wallet in the first place!

• Solana has always prioritised speed above all else... and this has come back to bite them many many times. The character that is set by the team will spread through the ecosystem, and we have seen Phantom wallet come up before as prioritising "ease of use" and "speed" over security. This is proving to be a bad balance...

• Use cold wallets... sure, they cost a bit and a pain in the arse... but hot wallets are INSECURE!

Anyway, stay safe out there... crypto-land is dangerous, and even more so if you are trying to hide and stay safe from nation-states and crime gangs. These guys are patient and ruthless, so you have to make sure that you are as small a target as possible!

I can also be found cross-posting at:
Hive
Steem
Publish0x

Handy Crypto Tools

Ledger Nano S/X: Keep your crypto safe and offline with the leading hardware wallet provider. Not your keys, not your crypto!
Binance: My first choice of centralised exchange, featuring a wide variety of crypto and savings products.
Kucoin: My second choice in exchanges, many tokens listed here that you can't get on Binance!
FTX: Regulated US-based exchange with some pretty interesting and useful discounts on trading and withdrawal fees for FTT holders. Decent fiat on-ramp as well!
MXC: Listings of lots of interesting tokens that are usually only available on DEXs. Avoid high gas prices!
Huobi: One of the largest exchanges in the world, some very interesting listings and early access sales through Primelist.
Gate.io: If you are after some of the weirdest and strangest tokens, this is one of the easiest off-chain places to get them!
Coinbase: If you need a regulated and safe environment to trade, this is the first exchange for most newcomers!
Crypto.com: Mixed feelings, but they have the BEST looking VISA debit card in existence! Seriously, it is beautiful!
CoinList: Access to early investor and crowdsale of vetted and reserached projects.
Cointracking: Automated or manual tracking of crypto for accounting and taxation reports.
Poloniex: One of the older regulated exchanges that has come into new ownership. I used to use it quite a lot, but have since stopped.
Bitfinex: Ahhh... another oldie, but a goodie exchange. Most noted for the close affiliation with USDT and the Basic "no-KYC" tier!