This week, a large-scale hack resulted in around 6 million dollars of tokens being stolen from over 8,000 Solana wallets. The root cause identified is a wallet software compromise rather than a vulnerability in the Solana blockchain.
So what happened with the Solana wallet hack?
While the post-mortem investigation is still underway, it appears the seed phrases belonging to users of a wallet called "Slope" were compromised. Slope is a web-based non-custodial wallet or "hot wallet" built on the Solana blockchain, similar to Metamask on the Ethereum blockchain, which appears to have kept seed phrases in an unencrypted text file. The hackers were able to obtain seed phrases of almost 8,000 wallets and proceeded to drain them. Slope released a statement acknowledging the situation but has said an investigation is still underway, and nothing is "firm yet."
Seed phrases are a way for users to retrieve their digital assets in case they lose their wallets or forget their passwords. The number one rule of storing a seed phrase is you never ever save it on a computer or a phone. Seed phrases are written on paper only. You do not take a picture of them. The idea is to never allow your seed phrase to exist on a device that can be hacked.
The upshot: This security incident shows once again that the best way to protect your digital assets is to store them on centralized exchanges or an external hardware wallet (cold wallet). This was not a blockchain breach. Instead, it's a company failing to follow IT security best practices.
UPDATE: Slope Wallet has offered a 10% bounty to the hackers if they return the stolen funds, and promised not to pursue any legal action if the funds are returned within 48 hours.