Phantom Confirms Wallet Security Following Solana Library Vulnerability
Phantom, a crypto wallet provider on the Solana blockchain, has confirmed that its platform remains secure despite a vulnerability found in the Solana/Web3.js library. The wallet provider stated it never used the compromised versions (1.95.6 and 1.95.7), assuring users that their wallets and funds are unaffected.
The issue was first reported by Solana developer Trent.sol, who warned that the vulnerable library versions could leak private keys, endangering user funds. He recommended immediate upgrades to version 1.95.8 and advised services with blacklisting capabilities to block specific wallet addresses associated with the exploit.
Users responded positively to Phantom's security assurance, with some praising its handling of the situation. However, there were suggestions for additional security measures to prevent potential wallet draining.
Other Solana Projects Respond to the Web3.js Library Issue
Other projects on the Solana blockchain have also reacted to the vulnerability. Solflare, another wallet provider, announced that it is not affected, as it uses fixed software versions and conducts thorough code checks to mitigate risks. Solflare stated:
“Solflare is not impacted by the recent issue with solana/web3.js. We enforce version locking and conduct rigorous code reviews, both manual and automated, to protect against supply-chain attacks. Your keys remain safe and secure with Solflare.”
Similarly, Drift, a decentralized exchange on Solana, confirmed it was not affected by the vulnerability, noting that its codebase does not rely on the compromised library versions.
Security Challenges Persist for Blockchain Systems
The revelation of this vulnerability highlights ongoing security challenges within blockchain systems. Analysis indicates that the compromised library versions contained hidden code designed to steal private keys and transfer them to a specified wallet address.
Socket, a developer security platform, detailed the potential risks, stating that developers using the compromised version could expose their private keys, while users of applications built with the affected library could face fund losses if their private keys are compromised:
“Developers integrating these versions into their projects risk exposing their private keys. Users of applications relying on the compromised library may have their wallets drained if private keys are compromised,” Socket explained.