Following the Solana wallet attack, the team responsible for analyzing the hack informed the public and clarified that the wallet addresses affected by the hack were linked to the Slope mobile wallet apps. The team also noted that “there is no evidence that the Solana protocol or its cryptography has been compromised“.
Solana’s status report indicates that the affected addresses were created at some point in the Slope mobile wallet applications.
Seems like an iOS supply chain attack. Multiple plausible wallets that only received sol and had no interactions beyond receiving have been affected. https://t.co/ne0g3ZmLH5
As well as key that were imported into iOS, and generated externally.https://t.co/hStAr1mU6Q
– SMS aey.sol, 🇺🇸 (@aeyakovenko) August 3, 2022
In the past 48 hours, the Solana team has had to deal with an attack that compromised thousands of Solana-based wallets. At the time, Solana Labs co-founder and CEO Anatoly Yakovenko said thought that the exploit was likely from a blockchain attack. He explained that iOS and Android wallets were affected when he said.: “most of the reports are from Slope, but also from a few Phantom users.“
On August 3, 2022, the Twitter account explained that the addresses affected by the hack were related to Slope mobile wallet apps. “After an investigation by developers, ecosystem teams, and security auditors, it appears that the affected addresses were at some point created, imported, or used in Slope mobile wallet apps“, writes Solana Status. “This exploit was isolated to a wallet on Solana, and the hardware wallets used by Slope remain secure.“Solana Status said:
While the details of exactly how this happened are still under investigation, private key information was inadvertently transmitted to an application monitoring service. There is no evidence that the Solana protocol or its cryptography was compromised.
This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure.
While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service. 2/3
– Solana Status (@SolanaStatus) August 3, 2022
Slope Finance has issued an official statement on the hack and its responsibility: “A cohort of Slope portfolios were compromised in the breach, we have some assumptions as to the nature of the breach, but nothing is firm yet, [et] we feel the pain of the community, and we were not immune. The portfolios of many of our employees and founders were emptied.“Slope also added that the team was actively conducting internal investigations and audits, while working with security and audit groups.
Security experts say Slope’s startup phrases were recorded in plain, readable text.
In the official statement, the Slope team recommended that Slope wallet users “Create a new single portfolio with a startup phrase and transfer all assets to this new portfolio.“. Slope added:
If you use a hardware wallet, your keys have not been compromised.
Data from Dune Analytics shows that the number of unique addresses affected by the breach is higher than initially reported. The statistics show that 9,223 unique addresses were affected by the bug and $4,088,121 in crypto was stolen. Most of the hacked assets consisted of SOL-based solana and USDC.
Over $4M was drained from Solana wallets over the past 2 days. We’ve been working directly with @solana and @slope_finance to investigate.
Here’s what we found. pic.twitter.com/Ny1gwuJfIb
– OtterSec (@osec_io) August 4, 2022
It is in the process of says That Slope’s mnemonic phrases transferred to Slope’s server were stored in readable text. The Slope portfolio team would have stored the mnemonics in debugging software via a centralized Sentry server. Ottersec’s security experts detailed that “anyone with access to Sentry could access users’ private keys“. Ottersec also noted that Slope’s team was “very helpful in sharing hacking-related data.“
We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys. pic.twitter.com/PkCFTeQgOP
– OtterSec (@osec_io) August 4, 2022