Table of Contents
Attention, Solana devs: the @solana/web3.js library, the digital Swiss Army knife for building decentralized apps on Solana, just got hit by a sneaky supply chain attack. Here’s the rundown on the new Solana hack, what went down and how the hackers made their heist.
The Plot Twist You Didn’t See Coming
On December 2, some clever (and very illegal) hackers gained access to a developer account managing the @solana/web3.js library. For context, this library is downloaded more than 350,000 times a week, it’s basically the bread and butter of Solana dApp development.
Read Also: Lessons from the Ledger Hack
The hackers slipped malicious code into versions 1.95.6 and 1.95.7 of the library. Their secret sauce? A backdoor that quietly siphoned private keys to a hardcoded address. The result? A digital smash-and-grab that made off with $160,000 in SOL and other crypto goodies.
How the Solana Hack Drama Unfolded
The breach wasn’t your everyday “oops, my bad” moment. The attackers used a compromised npm (Node Package Manager) account to push two tainted updates. Within hours, the Solana-focused team at Anza sounded the alarm. The hacked versions were up for grabs from 3:20 PM to 8:25 PM UTC before npm swooped in to take them down.
Read Also: These Altcoins are Surging and There is More to Come
The damage was focused on developers who updated their libraries during that brief window. Bots and backend systems handling private keys were especially vulnerable in this Solana hack, bad news for anyone who had “update library” on their to-do list that day.
Who’s in the Clear?
Not all heroes wear capes, or get hacked. Big players like Phantom, Solflare, Drift, and Backpack flexed their robust security setups and confirmed they dodged this digital bullet. Their users? Safe and sound, unaffected by the library’s corrupted versions.
The Solana blockchain itself remained unscathed. The community was quick to clarify: this was an isolated hit on the library, not the network. So, Solanians, breathe easy (but maybe double-check your dependencies and meme coins ), this Solana hack left you untouched.
Post-hack, the advice was loud and clear:
- Update ASAP: Version 1.95.8 is your new best friend.
- Audit Everything: Check your project for sneaky dependencies.
- Rotate Those Keys: If you were caught in the crossfire, generate new private keys and get those funds locked down.
Tools like Socket have been recommended for keeping your repositories safe from similar shenanigans.
Supply Chain Attacks and Past Solana Outages
This isn’t the first time hackers have pulled the ol’ “mess with the source” trick. A recent attack on the Lottie Player JavaScript library, which powers web animations, resulted in over $723,000 in crypto losses. The pattern? Compromised software + unsuspecting users = big payouts for bad actors.
Solana has faced several significant outages that have impacted its network stability. On September 14, 2021, a surge in transactions caused the network to fork, leading to a 17-hour downtime as validators worked to resolve differing views of the network’s state.
Read Also: Earning Passive Income with Crypto is Easy
In 2022, Solana experienced multiple disruptions. On May 1, the network was offline for approximately seven hours due to an influx of bots overwhelming the system. Later, on May 31, a bug in processing offline transactions resulted in a four-and-a-half-hour outage.
Another notable incident occurred on October 1, 2022, when a consensus bug allowed a misconfigured node to produce conflicting blocks, causing a six-hour network halt.
These outages have often led to declines in the value of Solana’s native token, SOL, highlighting the challenges the platform faces in maintaining consistent network performance.
The Bigger Picture
Hackers are targeting open-source libraries and third-party dependencies more than ever, and the stakes are sky-high in crypto. As one blockchain expert put it, third-party tools are essential for rapid development but can turn into Trojan horses if not carefully vetted. The takeaway? The faster we adopt stricter standards in crypto, the safer everyone will be.
So, Solana devs, consider this a wake-up call. Keep your libraries clean, your keys rotated, and your codebases locked down tighter than a bear hug at a family reunion. This Solana hack might’ve taken $160K, but let’s make sure it’s the last.
