“After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications,” Solana revealed on Twitter. The blockchain platform said the Solana protocol and cryptography were not compromised. Slope has instructed its users to create a new wallet with a different seed phrase and transfer all their assets.
‘Private Key Compromise’ Led to Breach
On Wednesday, blockchain auditor OtterSec, who worked with Solana and Slope to investigate the breach, said the fact that illegal transactions were being signed by wallet owners indicates “some sort of private key compromise.” “We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server,” OtterSec tweeted on Thursday after further investigation. “These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.” Solana echoed this on Twitter, saying, “private key information was inadvertently transmitted to an application monitoring service.” Slope has taken steps to fix the breach. “The server-side logging was removed as soon as the vulnerability was discovered,” the Slope team said. The stolen assets include Solana, Bitcoin, Ethereum, USD Coin, and Tether, among others, and the affected wallets include Slope, Phantom, Solflare, and TrustWallet. Blockchain analytics company, Elliptic, said $5.8 million was stolen from 7,947 wallets—$2.8 million in USDC, $1.8 million in SOL, and $1.4 million worth of other crypto assets. However, OtterSec said a total of $4,088,121 was stolen from over 9200 wallets. It is unclear who was behind this breach. A cybersecurity expert, who worked with OtterSec to investigate the attack, disclosed on Twitter that the stolen assets were transferred to four addresses, and all four wallets were funded by a single wallet shortly before the attack. Meanwhile, Slope said it has informed relevant law enforcement agencies to investigate the breach.
Hardware Wallets Are More Secure
Solana and Slope confirmed that hardware wallets were not compromised in the attack. Solana “strongly encouraged” users to switch to hardware wallets and create a new seed phrase. “If you are using a hardware wallet, your keys have not been compromised,” Slope said in a statement. Hardware wallets allow you to store digital assets offline, thereby eliminating the risk of an internet-based attack. There has been an uptick in crypto-related breaches, and hackers seem to be targeting hot wallets (or online wallets). In May, Microsoft researchers discovered a new malware, dubbed Cryware, that targets hot wallets. In June, researchers at Confidant revealed that hackers were cloning crypto wallets like Coinbase and MetaMask to steal users’ assets. Solana has instructed users to consider affected wallets “compromised, and abandoned.” If you were a victim of this attack, you can complete this survey from the Solana Foundation. OtterSec has also invited affected users to fill out a form. To learn more about the latest security threats to cryptocurrencies and how to protect your digital assets, check out our article on the top Bitcoin and cryptocurrency scams of 2022.