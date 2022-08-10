Unknowns were able to loot thousands of Solana cryptocurrency wallets. According to initial analyses, it was the Slope wallet software that compromised private keys.

In the case of the looted wallets for the cryptocurrency Solana, the cause could have been the Slope wallet software. An initial investigation has shown that the affected addresses were probably all either generated using Slope’s mobile wallet application and then possibly imported somewhere else, or that they were at least temporarily managed within this app, the makers of Solana said.

Apparently, Slope then inadvertently transmitted private keys to an application monitoring service, runs the Solana project. Which service is involved and whether the attackers were able to pick up the keys there remained open. Details are still under investigation. Neither Solana’s protocol nor cryptography were compromised in the case, Solana emphasized.

Private keys in plain text on the server

Slope has now taken at least some of the blame. One Investigation of the commissioned security company Ottersec showed that Slope’s mobile wallet forwarded cryptographic seeds to its own server using TLS transport encryption. According to Ottersec, they were then stored in plain text in log files. So anyone with access to the server could have used it. All keys used can be derived from the cryptographic seed of a wallet and thus all assigned credit can be checked.

However, Ottersec explained that only 1,400 of the addresses plundered in the hack could also be found on the Slope server. But many more addresses are affected. This discrepancy and other possible attack vectors are still being investigated. There are also over 5,300 private keys to addresses on the server that have not yet been cleared. Slope users should therefore immediately transfer their funds to new wallets.

Slope added to that the server-side storage was switched off immediately as soon as this “security gap was discovered”. How it came about that Slope’s wallet app basically behaved like malware remained open. Slope continues to work with security firms and the Solana Foundation to uncover additional potential vulnerabilities. Until the “main cause” is found, the Slope developers also advise moving to new wallets with a fresh seed.

Thousands of wallets emptied

In the hack, thousands of wallets were looted by unknown individuals on Tuesday and Wednesday. According to figures from the analysis platform Solscan, around 10,500 wallets are affected, and the damage is estimated at the equivalent of over 8.5 million US dollars. According to security re ers, the attackers could simply carry out the transactions as if they were the owners of the wallets. This suggests the compromise of private keys.

The wallet provider Phantom supports the previous results from Solana and Slope: Account imports from and to Slope wallets were probably involved in the stolen phantom users. Also one Statement from the wallet service Sollare points in this direction: If you only use the Solflare wallet and have not migrated a cryptographic seed from somewhere else, you are on the safe side. The alleged causes of the hack are not found in the Solflare wallet.