October 2, 2022

Blockchain auditing firms are still trying to figure out how hackers gained access to around 8,000 private keys used to drain Solana-based wallets.

Investigations are ongoing after attackers managed to steal approximately $5 million worth of SOL and SPL tokens on August 3. Ecosystem participants and security companies help unravel the intricacies of the event.

Solana has worked closely with Phantom and Slope.Finance, the two SOL wallet providers that had user accounts affected by the exploits. It has since emerged that some of the compromised private keys were directly linked to Slope.

Blockchain auditing and security firms Otter Security and SlowMist assisted with ongoing investigations and unpacked their findings in direct correspondence with Cointelegraph.

Otter Security founder Robert Chen shared insights from first-hand access to the affected resources in collaboration with Solana and Slope. Chen confirmed that a subset of the affected wallets had private keys present on Slope’s Sentry logging servers in plain text:

“The working theory is that an attacker somehow infiltrated these logs and was able to use them to compromise users. This is an ongoing investigation and current evidence does not account for all compromised accounts.”

Chen also told Cointelegraph that about 5,300 private keys that were not part of the exploit were found in the Sentry instance. Almost half of those addresses still have tokens – with users being asked to move money if they haven’t already.

The SlowMist team came to a similar conclusion after being asked to analyze the exploit by Slope. The team also noted that Slope Wallet’s Sentry service collected the user’s mnemonic and private key and sent them to o7e.slope.finance. Once again, SlowMist was unable to find any evidence to explain how the credentials were stolen.

Cointelegraph also reached out to Chainalysis, which confirmed it was conducting a blockchain analysis of the incident after sharing its initial findings In connection. The blockchain analytics firm also noted that the exploit primarily affected users who had imported accounts to or from Slope.Finance.

While the incident relieves Solana of bearing the brunt of the exploit, the situation has highlighted the need for services to audit wallet providers. SlowMist recommended that wallets should be vetted by multiple security companies before release and called for open source development to increase security.

Chen said some wallet providers had “flown under the radar” in terms of security compared to decentralized applications. He hopes to see the incident shift user sentiment toward the relationship between wallets and validation by external security partners.