Overview Of The Slope Solana Wallet Hack In August 2022
During the late hours of Tuesday, August 2, 2022, many people noticed that their Solana wallets were mysteriously hacked. Attackers were able to transfer all the Solana SOL, USDC, and NFTs from the victims' Solana wallets. The hack was very strange because it was unlike most other known crypto hacks. It quickly caused panic among the community and security researchers and users scrambled to identify the root cause. Various major news outlets covered the fallout (CNBC, ZeroHedge, Bloomberg, etc).
"Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.
"This thread will be updated as new information becomes available."
- @SolanaStatus 8/3/2022, 2:39am UTC
Widespread confusion prevailed during the initial hours of the hack. Many inaccurate theories regarding the Solana wallet hack quickly circulated on Twitter, including:
Over 8,000 Solana wallets were attacked during the initial stage of the attack. Security firm PeckShield estimated that funds totaling over $8 million were stolen (the total Solana SOL and SPL token balance stolen shown on-chain is currently $6.7 million, but this excludes NFTs). Many wallets compromised had been dormant for several months, which confused many users. The lack of activity meant that it was unlikely that a decentralized app (dapp) or malicious NFT minting site was the root cause. More importantly, it pointed to the possibility that attackers were able to access the wallet private keys.
The attack was not isolated to Solana. Many users also reported that their Ethereum wallets had been hacked. Initial reports suggested that the attack originated from users with Slope and Phantom wallets.
Several security researchers, Solana Labs, and the broader Solana community worked together to find the wallet hack source. SolanaStatus setup a form for victims to fill in describing their interactions with various Solana Wallets, their devices used, etc, in order to collect and analyze data. Most of the early reports suggested the hack was related to Slope and Phantom wallets. Avana Wallet, Glow, and Solflare wallets all reported no hacking incidents.
On August 3, 2022 various researchers identified the root source of the wallet hack. Slope wallet had a design flaw in its code which leaked a user's clear text private keys to the Slope's error reporting API. Sensitive user data were sent to Sentry.io, an error monitoring telemetry service. Sentry is one of the most popular cloud-based services that helps developers monitor their apps for errors. The code in Slope's wallet sent the user's private key information to Sentry. As a result, the clear text sensitive data then became accessible to employees at Slope wallet and Sentry. This is definitely not a common practice for non-custodial wallets, and no developer should ever expose or leak user credentials. It is unclear how and why this happened at Slope wallet.
It is unclear at this time if the attackers were associated with Slope wallet or Sentry. Either way, it was a security vulnerability in the wallet code that ultimately was responsible for the lost funds and anxiety.
MoonRankNFT and others posted data from Slope Wallet showing that the wallet leaks the user private keys in clear text.
The Slope team posted a statement discussing the wallet hack.
The attacker(s) had access to the private key data sent to the error logging service mentioned above. The hackers gathered the private key information, then used the keys to transfer funds from the victims' accounts to the attackers' accounts.
The attack appeared to be carried out by humans rather than automated computer code. No one currently knows the identities of the attacker(s), but it appears that the Solana wallets were drained individually by one or more people. The attackers were iterating through stolen Solana wallet accounts at a pace of ~20 per minute. Automated computer code would have been able to process all of the transactions quickly. Also, many Twitter users noted that it often took 20 to 30 minutes for the attackers to realize that a compromised wallet had received new funds that could be stolen. Automated computer programs would have been faster to react.
Observers noted that the attacker(s) seemed to focus on Solana SOL and USDC tokens, and they for the most part ignored other non-liquid tokens. The attackers stole valuable NFTs from some Solana wallets, but they did not always steal all NFTs.
Twitter user @zachxbt noted that the attacker Solana wallet addresses were funded from a wallet address on 8/2/2022 which received funds from Binance seven months ago. Binance is a centralized crypto exchange, which requires users to provide identification. The Binance funding source could provide an evidence trail leading to the attacker's identity.
The attacker addresses included:
The amount of anxiety and noise surrounding the event was large by most standards, but the dollar amount was relatively small compared to other crypto hacks (~$8 million, vs other recent hacks such as crypto bridge Nomad for $200 million). One reason for the elevated anxiety is because of the level of uncertainty - users did not know the threat origin, and everyone felt vulnerable. Other crypto hacks such as Nomad had clear and explicit sources.
Many Phantom wallet users reported that their Solana accounts had been drained as well. The hack in August 2022 was not related to a security vulnerability in Phantom wallet, so Phantom wallet itself was not hacked. The reason why some Phantom wallet users had their accounts drained is because they at some point had either generated their private key in Slope wallet, or they imported their private key created in Phantom wallet to Slope wallet. As a result, the hacker had access to the private key when it was used in Slope wallet.
The same concept applies to hacked Ethereum wallets - users had reused the mnemonic phrase used by their Slope wallet to create an Ethereum wallet address. No Ethereum wallets were hacked.
You should assume that any private key generated in or imported to Slope wallet is vulnerable. You should download a new Solana wallet (of course Avana Wallet should be your first choice for the best Solana wallet 😊) and create a brand new Solana address / private key. Send funds to that new address. Never use the prior Solana wallet addresses created with Slope wallet.
Security should always be a top priority when you use crypto. The decentralized nature of crypto has its benefits, but it also has its drawbacks. Stolen crypto is nearly impossible to retrieve, so the best line of defense is to prevent the theft.
One of the best ways to keep your Solana wallet safe is to use a hardware wallet with Avana Wallet. Hardware wallets keep your private keys off of your device, so your private keys can never can be hacked or stolen. A good practice is to keep large crypto balances on a hardware wallet, and then keep smaller balances for monthly expenses in a hot wallet.
We have written a series of blog posts that help our users keep their Solana wallets safe:
The Solana wallet attackers were able to steal at least $6.7 million from victims wallets, but that does not mean that the attackers can access or use the money. The attacker's accounts are now flagged and crypto exchanges and authorities will monitor the addresses going forward. It will be very difficult for the attackers to actually access these funds. There are countless examples of crypto criminals being arrested years after an attack (Couple arrested in 2022 for 2016 crypto hack).
It is reported that the authorities are already investigating the Slope wallet vulnerability. Hopefully the criminals will be found and face justice for the anxiety and panic they caused to Solana users.
Upgrade your Solana wallet today