Solareum, a Telegram-based trading app facilitating Solana token transactions, has announced its closure following an exploit resulting in the loss of approximately $523,000 worth of SOL from user wallets.
The exploit, affecting over 300 Solana users, was initially linked to the popular Telegram trading bot BONKbot. However, the BONKbot team denied any security lapse and clarified that affected users had exported their private keys for use in other applications.
TLDR: BONKbot is SAFE, as always, and exporting your private key itself did NOT put you at risk. There has been an exploit with another Solana app.
More than half of the ~300 victims were non-BONKbot wallets.
The BONKbot users affected had imported their private key into a…
— BONKbot (@bonkbot_io) March 29, 2024
Responding to speculation, Solareum acknowledged the possibility of being exploited in a tweet and later confirmed the closure of its project due to a combination of factors, including insufficient funds, evolving market trends, and the recent security breach.
There maybe a chance we got exploited.
— Solareum (@SolareumProject) March 29, 2024
The team expressed regret over the decision and cited ongoing efforts to secure additional funding and enhance security measures. Despite these efforts, the integrity of their systems was compromised by the breach, leading to concerns about user safety.
While Solareum pledged to contact authorities to freeze stolen assets if sent to centralized exchanges, there was no mention of compensating affected users.
The project’s Telegram channel reflects user frustration and demands for answers, with some threatening legal action if compensation plans are not announced.
BONKbot, initially suspected by the community, clarified that the exploit was linked to a specific application where users had imported their private keys. Following Solareum’s announcement, BONKbot confirmed the correlation, emphasizing collaborative efforts with the security community to identify the exploit’s origin.
<0.1% of BONKbot users who've exported their PK were affected. Our analysis strongly suggests the exploit occurred from those victims importing PKs into a specific application.
Data so far:
– total victims: 302
– BONKbot victims: 113
– keyExported from BONKbot: 113
– total SOL…— BONKbot (@bonkbot_io) March 29, 2024
The BONKbot team refrained from publicly accusing Solareum, highlighting the need for further investigation to determine whether the breach was external or internal. They noted that their analysis indicated Solareum’s involvement before the announcement but stressed the need for access to Solareum’s codebase and logs for conclusive evidence.