HACKERS targeted the Solana ecosystem early Wednesday with thousands of wallets affected in the latest hit to the cryptocurrency market after bridge protocol Nomad was attacked at the start of the week.
Estimates of the damage vary. Just over $5.2 million in cryptoassets have been stolen so far from more than 7,900 Solana wallets, according to blockchain forensics firm Elliptic. Security company PeckShield said four Solana wallet addresses drained approximately $8 million from victims.
“The root cause is still not clear,” Elliptic’s co-founder Tom Robinson said. “It appears to be due to a flaw in certain wallet software, rather than in the Solana blockchain itself.”
The attack sent Solana’s SOL token down as much as 7.3 percent to $38.40 in early trading on Wednesday, its lowest in a week. Bitcoin was up 1.5 percent at $23,367.
Crypto projects are proving a rich vein for hackers and the industry has suffered numerous attacks this year. Solana’s woes come days after Nomad—a bridge protocol for transferring crypto tokens across different blockchains—lost close to $200 million in a security exploit on Monday. More than $1 billion has already been stolen from bridges in 2022, according to a June report by Elliptic.
“Much remains unknown at this point—except that hardware wallets are not impacted,” Solana Spokesman Austin Federa said.
While there’s speculation the incident was a supply-chain attack, the nature of the exploit remains unclear, Federa said. Supply-chain hacks occur when an outside party or provider with access to the victim’s systems and data is infiltrated.
Solana, which has suffered network outages in the past, is a rival to the Ethereum blockchain. As transaction prices on Ethereum rose last year, chains like Solana, which tout their low transaction fees, emerged as alternatives for minting non-fungible tokens. The code underpinning Solana is also popular with clients looking to build their own decentralized-finance applications.
Some NFTs were also stolen in the hack—but the full impact of the exploit is still unclear, Elliptic’s Robinson said.