Solana hack can happen ‘on any blockchain’; Open-source code and user privacy are essential to prevent this – Brian Norton

(Kitco News) – Last Tuesday, $8 million in Solana was stolen from Slope, a company that holds crypto assets for its users. Slope’s centralized server stored seed phrases that belonged to its users. Hackers accessed the server, stole the phrases, and drained wallets.  

“Around August 2nd, a number of people saw wallet drains across multiple wallets,” said Brian Norton, COO of MyEtherWallet. “What we later came to learn was that most of these attacks were focused on one wallet, Slope Finance, which had been storing seed phrases in a centralized server… We saw mostly Solana being drained, but we saw a few cases of Ethereum being drained from certain wallets, because those seed phrases had been imported by users into other wallets.”

He pointed out, however, that the Solana source code itself was not compromised, but rather this appeared to be a problem with Slope’s security.

Norton spoke with David Lin, Anchor and Producer at Kitco News.

The Need to Safeguard Wallets

When a user purchases a cryptocurrency, they hold it in a digital wallet. These wallets can either be offline or an online hot wallet, the latter of which can be prone to hacking if private wallet data are shared over a network.

“In the case of Slope and Solana, this is something that theoretically could happen on any blockchain,” said Norton. “Using closed-source, centralized wallet infrastructure is not the way to go. It needs to be [open-source] and it needs to be client-side.”

By “client-side,” Norton explained that he meant, “We [at MyEtherWallet] don’t have a backend database storing people’s phrases, storing people’s personal information. Your keys are your keys when you sign out of your wallets. Then nobody else has access to it, including us.”

He emphasized that cryptocurrency users need education on how to take self-custody of their own crypto assets, and how to securely store their keys. He recommended, among other measures, using an offline “hardware wallet,” and discussed the benefits of open-source wallet infrastructures.

“Make sure that [your] software wallet is open-source, and that it is entirely non-custodial, that there is no way they are storing your keys,” said Norton. “As soon as those keys end up in a centralized server, they become vulnerable to attack from multiple different victors. You want to prevent that.”

Ethereum Merge

Norton’s company, MyEtherWallet, is according to its website, a “free, open-source, client-side interface for generating Ethereum wallets & more.”

Given his company’s dealings with Ethereum, Norton commented on the upcoming Ethereum merge, which is intended to transition the cryptocurrency from a proof-of-work to a proof-of-stake model.

“For the casual user who’s holding and trading [Ethereum], you’re probably not going to see that much difference,” he explained. “You might see a little bit higher transaction throughput, but beyond that, your user experience is going to remain primarily the same.”

He added that for those who are running Ethereum validators “will be able to start to withdraw their stake and their rewards, and there will be more opportunities for new users to stake.”

To find out how Norton thinks the Ethereum merge will affect its price, watch the above video.

Follow David Lin on Twitter: @davidlin_TV

Follow Kitco News on Twitter: @KitcoNewsNOW

Disclaimer: The views expressed in this article are those of the author and may not reflect those of Kitco Metals Inc. The author has made every effort to ensure accuracy of information provided; however, neither Kitco Metals Inc. nor the author can guarantee such accuracy. This article is strictly for informational purposes only. It is not a solicitation to make any exchange in commodities, securities or other financial instruments. Kitco Metals Inc. and the author of this article do not accept culpability for losses and/ or damages arising from the use of this publication.

Be the first to comment

Leave a Reply

Your email address will not be published.