As the dust settles from yesterday’s Solana ecosystem chaos, data is emerging that wallet provider Slope is largely responsible for the security exploit that stole crypto from thousands of Solana users.
Slope is a Web3 wallet provider for the Solana layer-1 (L1) blockchain. Via the Solana Status Twitter account on August 3, the Solana Foundation pointed the finger at Slope stating that “it appears that the affected addresses were at some point created, imported, or used in Slope mobile wallet applications.”
After investigation by developers, ecosystem teams, and security auditors, it appears that the affected addresses were created, imported, or used in Slope mobile wallet applications. 1/2
— Solana Status (@SolanaStatus) August 3, 2022
Solana co-founder Anatoly Yakovenko also linked Slope wallets to the hack on his personal Twitter account. It advises users to regenerate a key phrase from a service other than Slope as soon as possible. He also told an affected user to “Start practicing cold/hot wallet separation.”
The attacker is lazy in driving all paths. A bunch of ghost users only saw their addresses run out. I would advise anyone who hit the slope to regenerate their phrase in a different wallet as soon as possible.
— SMS aey.sol, (@aeyakovenko) August 3, 2022
Solana-based wallet exploits first surfaced on August 2 after the community began reporting that their crypto wallets were being drained of Solana (SOL) and their other tokens. It is estimated that roughly $8 million in crypto was stolen from nearly 8,000 wallets.
Through its research, the Solana Foundation found that the private keys for each of the wallets compromised in the exploit were “inadvertently transmitted to an application monitoring service” such as Slope.
He added that there was no evidence to suggest that the Solana protocol or its cryptography was at risk from the attack.
Some References abound that Slope may have recorded key user phrases on its central servers. The servers could have been compromised and leaked passphrases, which a hacker could use to execute transactions.
Earlier reports of the attack on the day said that users of Slope and Phantom hot wallets were being targeted, leading many to believe that there could be a broader issue with the Solana protocol, however further analysis shared by Solana’s Chief Communications Officer, Austin Fedora were found that the problem was only isolated to hot wallets.
Fedora said that while 60% of the victims of the attack were Phantom users, those affected did not create their phrase using Phantom.
We created a Typeform to collect data and the results were clear – of those who were drained ~60% were Phantom users and 40% were Slope users. But after extensive interviews and requests to the community, we couldn’t find a single Phantom-forever user who had drained their wallet
— Austin Federa | sms (@Austin_Federa) August 3, 2022
Slope issued a statement reviewing the status of its ongoing investigation into the incident on Wednesday, confirming that “a group of Slope wallets were compromised in the breach,” including some belonging to its staff.
Related: GitHub faces widespread malware attacks affecting projects, including cryptocurrencies
The team urged users of Slope wallets to create a new unique phrase and transfer all funds to it instead of keeping money in old wallets that could be used later. The Phantom team stepped it up warning advising users to move their assets to a new non-Slope wallet.