On August 03, a wind of panic blew over the Solana network. A coordinated attack targeted thousands of crypto wallets and their contents. This unprecedented hack would concern more than 8000 virtual wallets, for a loot of more than 6 million dollars in cryptocurrencies and other tokens at the time of writing.
The open-source blockchain Solana is among the most popular of the moment. Since its inception in March 2020, the technology aims to provide decentralized finance solutions, combining the proof-of-history (PoH) with the proof-of-stake (PoS) of the blockchain.
The wallet slope at the origin of the hack?
The wallet slope has been pointed out as the source of this flaw. 10,400 wallets were siphoned off during the attack.
In the hours following the hack on Solana, the developers in charge of the case struggled to find the cause of the massive siphoning. Eventually, several pieces of evidence began to point to the Slope wallet.
About ten days after this event, the teams of OtterSec, a company specializing in blockchain auditing and analysis, published a report going back over the facts.
At the time of the affair, it became clear that the problem emanated from one of the wallets in the ecosystem.
For its report, OtterSec analyzed the two main wallets in the Solana ecosystem, namely Phantom and Slope.
First, OtterSec revealed that the Phantom wallet showed “no evidence of vulnerabilities that could lead to the compromise of mnemonics.”
Thus, in a second step, OtterSec teams looked at the Slope wallet. According to their research, it is indeed the latter that is at the origin of the flaw.
We confirmed that the Slope wallet was vulnerable to leaking private keys and mnemonics in the logs that were sent to the log server.
In practice, the flaw had been present in the wallet’s code since version 2.2.0, released on June 24.
An error in the code!
The Slope wallet uses the Sentry service to monitor its application. All monitored data is sent to and stored on a Sentry log server, hosted by Slope’s teams.
Unfortunately, an error in the code caused the wallet mnemonic to be systematically sent to the Sentry server.
When accessing the data on this server, OtterSec teams found numerous mnemonics stored in their Sentry server logs. As a result, the mnemonics found represent approximately 15% of the hacked addresses.
However, due to a problem in Slope’s infrastructure, the server only received the data for 12% of the time the breach was present. As a result, OtterSec estimates that the number of mnemonics sent was “likely much larger than the number stored on the server.”
Therefore, it is likely that the attacker was able to access the rest of the siphoned wallets by accessing logs that were not stored on the Sentry server.