It looks like Solana is first ever blockchain to have private | Jared Tate

It looks like Solana is first ever blockchain to have private keys compromised at protocol level. There is a bad cryptography library they use vulnerable to private key theft. This will be a first of its kind to take down an entire blockchain if this is proven to be the source of Solan wallets getting drained. But it seems likely.

A poor implementation of Ed25519, a popular digital signature algorithm used by many cryptos including Solana, has left dozens of cryptography libraries vulnerable to attacks.

Solana uses ed25519-dalek which hasn't been patched of this known vulnerability discovered earlier this year.

https://github.com/MystenLabs/ed25519-unsafe-libs

"Chalkias initially found 26 libraries that were vulnerable to the attack. The list was later extended to 40 libraries. The security researcher also found several online services that were vulnerable to the same kind of attack, including a fintech API.

“In some applications when keyGen fails or a clean-up process deletes the privKey for this user, then the app usually retries keyGen. But in the meantime and for a few sec[ond]s, the DB [database] still stored the old , and this allowed a narrow window for race condition attacks before the DB gets updated with the new pubKey (a scenario that, surprisingly, we managed to exploit with significant probability),” Chalkias noted."

Verify Solana Rust library here: https://docs.rs/solana-ed25519-dalek/0.2.0/solana_ed25519_dalek/

https://openbase.com/rust/solana-ed25519-dalek

Learn more here: https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft