The Solana Cyber-attack: What now?
Hackers have been targeting various areas of the crypto market, including bridges, exchanges and wallets. One such example occurred in August 2022, which was the major cyber-attack on the Solana ecosystem (Solana), raising questions about the security of underpinning cryptoassets and causing loss to investors across the globe.
What is Solana?
Solana is an advanced blockchain project, similar in functionality to Ethereum, but which claims to process the information passing through the chain at a much faster rate. Launched in 2017, it seeks to do this through the adoption of a unique mechanism that combines proof-of-history with speedy synchronisation, processing thousands of transactions per second (TPS) (whereas other blockchains report only tens or hundreds of TPS).
Solana has a number of crypto wallets, such as Phantom, Solflare and Slope. Crypto wallets store certain information on cryptoassets, such as private keys (the passwords that provide access to the digital asset).
How did the cyber-attack happen?
Solana announced on its website that on 2 August 2022 the private keys for some Solana wallets were "leaked or compromised, and were used to sign malicious transactions". It is believed that a technical vulnerability in the software used in Slope, one of the wallets on Solana's blockchain, was the cause of the hack. Slope acknowledged on its website that although there is "no conclusive evidence" the vulnerability was the cause of the exploit, the fact that it happened puts assets in danger.
Solana has said that, following investigation by developers, analytics companies and security auditors, the fault resulted in inadvertently transmitting the private keys to the central server. The information passed to the server was encrypted so that only the person who has access to the decryption key can read it. Further, the central server uses three-factor authentication to control access.
However, in this case, by methods still under investigation, four hackers were subsequently able to use the transmitted private key and to initiate and approve transactions on behalf of the wallet users. Slope wallets, as well as Phantom and Trust wallets, were compromised. These were all hot wallets (internet-connected wallets), as opposed to cold wallets (wallets not connected to the internet which represent the device on which cryptoassets information is stored offline).
The stolen assets included SOL (Solana's cryptocurrency), a small number of non-fungible tokens (NFTs) and Solana-based tokens. Solana has said the attackers took $4.1 million USD worth of assets.
What options are there for those affected?
Those whose cryptoassets have been stolen are likely to be spread across the globe and will therefore need to assess what legal recourse they may have, and where to bring such claims. First, they should check the terms and conditions of their wallets, to assess the governing law and dispute resolution provisions.
For individuals domiciled in England, the English Courts have, to date, been receptive to taking jurisdiction over disputes involving fraud or theft of digital assets. In Ion Science Ltd and Duncan Johns v Persons Unknown and others (Unreported), 1 December 2020 (Commercial Court), the court granted an application for a freezing order, a proprietary injunction and ancillary disclosure, where the governing law was English law. It was held that the lex situs (location for legal purposes) of a cryptoasset is the place where the person who owns it is domiciled and that the English Court therefore had jurisdiction for these applications.
The courts have also demonstrated they are willing to grant remedies in a gradually expanding number of situations. In Vorotyntseva v Money-4 Ltd [2018] the High Court granted a freezing injunction in respect of crypto currency against a defendant company and its directors where funds were dissipating as a result of an agreed transaction. Ion Science Ltd noted above, also provided that a third-party debt order can be granted in relation to crypto currency. And in both Danisz v Persons Unknown [2022] and Lavinia Osbourne v Persons Unknown and Ozone Networks Inc [2022], the High Court has provided that cryptoassets can be considered a form of property for the purposes of granting an junction.
From an English law perspective, steps that victims of the Solana hack may pursue include, without limitation:
- Engaging with exchanges and experts in on-chain research to trace the cryptoassets from the compromised wallet to their new accounts (as the distributed ledger will record all subsequent transactions).
- Obtaining a disclosure or information order against the exchange to identify the hackers responsible for misappropriating the cryptoassets or the owners of wallets to whom the digital assets were transferred.
- Seeking a proprietary injunction to prevent the hackers from dealing with the assets, the claimant asserts title.
- Bringing a claim against Solana, the blockchain provider, in a case for negligence. The mere fact that there was a security breach, however, will not necessarily mean there is a successful case against them, as Solana may be able to show they had sufficient security arrangements in place, despite the hack.
- Bringing a claim against Slope, the third-party wallet provider, in a claim for breach of contract or negligence in failing to secure the wallets. In this case, Slope would want to demonstrate that the criteria for such a breach or for negligence were not met.
Lessons learned and implications of such attacks
Blockchain technology has been designed to make transactions secure and transparent. However, in the case of hot wallets, the Solana attacks make it clear that the cyber security of those wallets is critical.
One possible solution is the use of cold wallets, especially for long-term investors who plan to hold their digital assets for a period of time as a store of value. However, this may not be feasible for investors who are regularly trading their cryptoassets. They may need the convenience and speed that hot wallets can offer.
Such investors should conduct their own due diligence on the exchange they intend to deal with and any of the third parties they work with. Whether the exchange offers crypto insurance is also an important consideration to be taken into account when deciding what platform to deal with.
Such attacks are getting the attention of regulators toward crypto exchanges. For example, in the US, the New York State Department of Financial Services has recently given out $30 million USD in fines for transaction monitoring and cybersecurity compliance failures (see our article: NYDFS Flexes Enforcement Muscle In Crypto Markets With $30 Million AML And Cybersecurity Fine And Draft Cybersecurity Amendments). It remains to be seen how and when further action by regulators will follow.
Note to the reader
Please note that this information is up-to-date as at the date of publication.