Solana $SOL reputation is turnishing. A poor implementation of Ed25519, a popular digital signature algorithm, has left dozens of cryptography libraries such as Phantom vulnerable to attacks.
Rank: 11
According to Bloomberg press release, “estimates of the damage vary. Just over $5.2 million in cryptoassets have been stolen so far from more than 7,900 Solana wallets, according to blockchain forensics firm Elliptic. Security company PeckShield said four Solana wallet addresses drained approximately $8 million from victims.”
What Is Solana ($SOL)?
Solana is a highly functional open source project that banks on blockchain technology’s permissionless nature to provide decentralized finance (DeFi) solutions. While the idea and initial work on the project began in 2017, Solana was officially launched in March 2020 by the Solana Foundation with headquarters in Geneva, Switzerland. Reference(1)
Another theory may suggest the Solana hack is due to wallets using compromised code that exposes private keys. If so, you’d want to move funds offline into a cold storage hardware wallet or an exchange with high liquidity.
Where’s your Ed at?
Ed25519 is often used as a modern replacement for the Elliptic Curve Digital Signature Algorithm (ECDSA). Ed25519 is more open, secure, and faster than ECDSA, which is why it has become very popular in many sectors, especially in blockchain and cryptocurrency platforms.
In cryptography, it’s good hygiene to avoid accessing the private key many times. If they allowed the public key derivation on each signing invocation, then this implies they need to access it twice, once to sign, and once to derive the public key. However, the modification also creates a security loophole in the library.
Numerous security incidents have shown that poor random generation can result in private keys being leaked or stolen. One notable example was the private key leaks of PlayStation 3, whose technology relies on the ECDSA algorithm.
Last Updated on 12/28/2022 by Emmanuel Motelin
