Slope
Experts find private keys on Slope servers, still puzzled over access
Blockchain analysis firms involved in Solana exploit investigation unpack the latest developments as teams try to figure out how private keys were stolen.
Blockchain auditing firms are still trying to figure out how hackers gained access to about 8,000 private keys used to drain Solana-based wallets.
Investigations are ongoing after attackers managed to steal some $5 million worth of SOL and SPL tokens on Aug. 3. Ecosystem participants and security firms are assisting in uncovering the intricacies of the event.
Solana has worked closely with Phantom and Slope.Finance, the two SOL wallet providers that had user accounts affected by the exploits. It has since emerged that some of the private keys that were compromised were directly tied to Slope.
Blockchain audit and security firms Otter Security and SlowMist assisted in ongoing investigations and unpacked their findings in direct correspondence with Cointelegraph.
Otter Security founder Robert Chen shared insights from first-hand access to affected resources in collaboration with Solana and Slope. Chen confirmed that a subset of affected wallets had private keys which were present on Slope's Sentry logging servers in plaintext:
"The working theory is that an attacker somehow exfiltrated these logs and were able to use this to compromise the users. This is still an ongoing investigation, and current evidence does not explain all of the compromised accounts."
Chen also told Cointelegraph that some 5,300 private keys which were not a part of the exploit were found in the Sentry instance. Nearly half of these addresses still have tokens in them - with users urged to move funds if they have not done so already.
The SlowMist team came to a similar conclusion after being invited to analyze the exploit by Slope. The team also noted that the Sentry service of Slope Wallet collected the user's mnemonic phrase and private key and sent it to o7e.slope.finance. Once again, SlowMist could not find any evidence explaining how the credentials were stolen.
Cointelegraph also reached out to Chainalysis, which confirmed that it was carrying out blockchain analysis on the incident after sharing initial findings online. The blockchain analysis firm also noted that the exploit mainly affected users that had imported accounts to or from Slope.Finance.
While the incident absolves Solana from bearing the brunt of the exploit, the situation has highlighted the need for auditing services of wallet providers. SlowMist recommended that wallets should be audited by multiple security companies before release and called for open source development to increase security.
Chen said that some wallets providers had "flown under the radar" when it came to security when compared to decentralized applications. He hopes to see the incident shift user sentiment towards the relationship between wallets and validation from external security partners.
Solana’s Investigation Indicates Wallet Exploit Tied to Slope Mobile App
Following the Solana wallet attack, the Solana Status team updated the public and detailed that the wallet addresses affected by the breach were tied to Slope mobile wallet applications. The team further stressed that “there is no evidence the Solana protocol or its cryptography was compromised.” Solana Status Report Says Affected Addresses Were at One […]Slope wallets blamed for Solana-based wallet attack
Web3 wallet provider Slope has been connected to the recent hack of Solana-based wallets.
As the dust settles from yesterday’s Solana ecosystem mayhem, data is surfacing that wallet provider Slope is largely responsible for the security exploit that stole crypto from thousands of Solana users.
Slope is a Web3 wallet provider for the Solana layer-1 (L1) blockchain. Through the Solana Status Twitter account on Aug. 3, the Solana Foundation pointed the finger at Slope stating that “it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications.”
After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2
— Solana Status (@SolanaStatus) August 3, 2022
Solana co-founder Anatoly Yakovenko also linked Slope wallets to the hack in his own personal Twitter account. He advised users to regenerate a seed phrase from a service other than Slope as soon as they can. He also told an affected user to “Start practicing the cold/hot wallet separation.”
Attacker is lazy at driving all the paths. A bunch of phantom users only saw their slope addresses get drained. I would advise anyone that touched slope to regenerate their seed phrase in a different wallet asap.
— SMS aey.sol, (@aeyakovenko) August 3, 2022
The Solana-based wallet exploits first surfaced on Aug. 2, after the community began reporting that their crypto wallets were being drained of their Solana (SOL) and other tokens. It is estimated that roughly $8 million in crypto was stolen from nearly 8,000 wallets.
Through its investigation, the Solana Foundation determined that the private keys for each of the wallets compromised in the exploit were “inadvertently transmitted to an application monitoring service” such as Slope.
It added that there was no evidence to suggest the Solana protocol or its cryptography was at risk from the attack.
Some reports abound that Slope may have logged user seed phrases on its centralized servers. The servers could have been compromised and leaked seed phrases, which a hacker could use to execute transactions.
Earlier reports of the attack on the day said that users of Slope and Phantom hot wallets were being targeted, leading many to believe there could be a broader issue with the Solana protocol, a however further analysis shared by Solana’s head of communications Austin Fedora found that the problem was isolated to just hot wallets.
Fedora said that while 60% of the victims of the attack were Phantom users, those affected did not generate their seed phrase using Phantom.
We spun up a Typeform to collect data and the results were clear – of those drained ~60% were Phantom users and 40% Slope users. But after extensive interviews and requests to the community, we couldn't find a single Phantom-forever user who had their wallet drained
— Austin Federa | sms (@Austin_Federa) August 3, 2022
Slope issued a statement addressing the status of its ongoing investigation into the incident on Wednesday confirming that “A cohort of Slope wallets were compromised in the breach,” including some belonging to its own staff.
Related: GitHub faces widespread malware attacks affecting projects, including crypto
The team urged users of Slope wallets to generate a new unique seed phrase and transfer all funds to it rather than keeping any funds on old wallets which could still be exploited later on. The Phantom team stepped up the warning by advising users to move their assets to a new non-Slope wallet.
