Short Brief:

Starting late in the evening of August 2, 2022 (US time), various organizations that monitor events in the crypto industry started tweeting about a relatively large-scale Solana hack.

After investigating, engineers across several different networks have determined that the recent hacking incident was not caused by a bug in the blockchain's software code. It has been determined that the attack was possible because of vulnerabilities in the software wallets (basically Phantom and Slope) that are popular within the Solana ecosystem.

According to the analysis, it appears that a third party has accessed the private keys, and in this case, Solana has no means of distinguishing between the real and fake owners.

The attack affected hot wallets (Phantom and Slope) that are connected to the internet. This inevitably spurred a debate about whether one should ever use internet-connected wallets over hardware ones, given the existing security pitfalls.

Initially, the root cause of the attack remained unclear, and some suspected that other blockchains may be affected as well.

Based on the above data, the total number of Compromised wallets (till today 5th August 2022) is 10631 Unique Wallets.

The total stolen USD volume during this hack is $5158829.44.

And total number of Unique assets that were stolen is like 224 assets.

Based on the left chart, we can see the stolen volume of USDC asset is more than other assets and after that on the second rank we have SOL token as the most stolen asset in terms of volume.

We can see more than 80% of total stolen volume belongs to these 2 assets.

And based on the left chart, we can see most number of wallets have lost their SOL token and on the second rank we can see wallets who lost their USDC.

The huge difference between SOL and other assets shows that stolen SOL volume was not very high because based on the previous chart, USDC volume was higher than SOL despite the number of victims who lost their USDC is way lower than the number of wallets who lost their SOL token.

On the left chart, we can see the distribution of stolen volume based on the Hacker wallet address.

As we see, most stolen volume (almost 70% of total stolen volume) were transfered to the Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV address.

On the left table, we can see the list of stolen assets and their volume.

As we said before, USDC has the most stolen volume among others.

On the left chart, we can see hourly flow of transfers to the exploiter addresses over time and also the number of victim wallets which their asset were stolen.

As we see, the hack process has began from late-Tuesday (2nd August) (UTC Time) and the highest number of stolen assets were occurred during the first 7 hours of hack process.

We can see the number of transfers to the GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy wallet address is way more than other addresses (despite volume that we have seen the htp… wallet was the first one).

Moreover, we can see after the first 7 hours, the number of transfers related to the hack process has decreased dramatically maybe due to the network shutdown by solana team and also the actions of users for securing their wallet and assets.

On the left chart, we can see the houry volume of stolen assets over time by their destination address (hacker wallet) and also the assets that have been transfered.

As we see, the interesting result is that the highest volume of stolen assets has achieved during the first 2 hours of hack process before starting the 3rd August day.

As we saw before, the highest volume of assets were transferred to the htp… wallet address.

Also,despite number of transfers that has the highest numbers for the first 7 hours, we can see after the first 2 hour, the volume of transfers have decreased dramatically.

So, we can maybe conclude that hacker had some plans before the hack process to steal highest volume of assets in the first hours of hack process.

On the left chart, we can see Cumulative volume of stolen assets during the hack process.

On this chart we can see that highest volume of transfers achieved during the first 2 hours of hack process (as we saw on the previous chart) and the impact of their high volume transfers is clearly visible on the chart especially for htp… and also cez… wallet addresses which have received the highest stolen asset volume.

Also, the only wallet that have been active after 3rd August is cez… and there are no more transfers for other 3 wallets after this date.

On the left chart, we can see the cumulative volume of stolen assets over time and as we said before, USDC and SOL are by far the most stolen assets during the hack process.

the interesting thihng is that all USDC volume was stolen during the first hours of hack process since we can not see any trace of stolen USDC after the first hours.

On the left chart, we can see top 10 compromised wallets based on their financial loss.

As we see, 7DBK3Mz1MxrTXVVwfJBk9aDQ9Wc5nwG3qa3K8rqeoaHX has lost the most volume of assets during this hack process by far with more than 478k USD!

After that and with a significant difference from the top victim, we can see Exi964mWHtpazeVMo4nuEjeYzxRzo1ANt5yyREXvBRFc address with the second highest stolen volume (More than 242k USD)

On the left chart, we can see most number of Victims have lost only between 10 to 50 USD. After that we can see users who have lost between 100 and 250 USD.

about 5% of wallets lost more than 20,000 USD.

And at last on the left chart, we can see the Top 10 assets with the highest stolen volume.

As we discussed before, USDC and Sol have the highest amount of stolen volume among other assets.

USDT is on the 3rd rank.

Based on the above analysis:

• The total number of Compromised wallets during Solana hack process on August 2022 is 10631 Unique Wallets.
• The total stolen USD volume during this hack is $5158829.44.
• Most volume of stolen funds belong to the USDC and Sol assets.
• Most volume of hack process were done during the first 2 hours of attack.
• Most number of transfers related to the hack process occurred during the first 7 hours of attack.
• The exploit wallet address Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV has stolen the highest volume of assets.
• The victim wallet address 7DBK3Mz1MxrTXVVwfJBk9aDQ9Wc5nwG3qa3K8rqeoaHX has suffered the highest financial loss (more than 478k USD)
• Most number of victims, have lost between 10 to 50 USD during this hack process.

Ultimately, the analysis concluded that such an attack could affect any network, not just Solana. So, users should make sure their assets is always secure by holding the high volume on safe places such as hardware wallets. Moreover, they should be always aware of news and events about their asset to make sure perform the correct action on the first moments of exploits like this.

---

==Discord: Ali3N#8546==

Methodology:

Based on link provided by the bounty question and also Solscan official tweet, there are 4 wallet addresses related to the hack transactions:

• Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV

• GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy

• 5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3

• CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu

So, for detecting the exploit transactions, we should analyze the transfers which their destination is 4 above wallets and have done after 1 August 2022 (based on bounty question and also news on the web).

For calculating the USD volume, (since there is no price table in Solana tables on Flipside), I have used solana.core.fact_swaps table and filtering the swaps that their To_Asset is one of USD tablecoins and their From_Asset is the stolen asset during hack process. So, we can extract the USD price of stolen asset based on the price that it was swapped to a USD stablecoin on a specific date (which will be joined for further results).

Moreover, since according to the bounty question and also news on the web, the hack process may still continue, I have not set a filter for the ending date.

So, based on the above facts, I am going to:

• Calculate total number of victim wallets.
• Calculate total stolen volume in USD.
• Calculate total number of stolen unique assets.
• Analyse the stolen assets and their number and value.
• Analyze 4 exploited addresses and their stolen volume.
• Analyze top wallets with the most financial loss.
• Analyze distribution of wallets based on loss fund.