âWe have independently confirmed that Slopeâs mobile app sends off mnemonics via TLS to their centralized Sentry server,â tweeted Otter (@osec_io). âThese mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.â
Slope, in response, issued a statement and said while nothing was official, they were advising precautions.
âWhile we have not fully confirmed the nature of the breach, in the spirit of safeguarding our user base, we recommend ALL Slope users do the following: Create a new and unique seed phrase wallet and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope.â
Solana, which initially bore the brunt of bad press, was quick to point out that the hack was not on them, and instead on the part of the third-party wallet provider.
âThis wasnât a Solana wallet hack, it was a hack of a wallet that supported Solana. Not a protocol level thing,â tweeted Austin Federa (@Austin_Federa), head of communications at Solana Foundation. âThe investigations are ongoing, and I can't stress enough the importance of creating a new seed phrase in a non-Slope wallet and moving any assets you have in a Slope hot wallet over. Then go buy a hardware wallet,â he also noted.
Cold feet on hot wallets and other lessons
Federaâs comment points to an important takeaway about the attack. The exploit only impacted "hot" wallets, software wallets that are connected to the internet and allow users to store and send tokens. Hardware wallets, or âcold wallets,â are physical devices that offer more security and were not impacted.
âSoftware wallets are only as secure as the devices they run on,â tweeted a crypto-enthusiast with the handle @DSentralized in an informative thread on the incident. âBecause of the large variety of applications that are run on these devices, and the fact that they are connected to the internet, the potential attack surface is large and that could be due to malware or exploits.â
Another point frequently discussed about the hack was the importance of open source. Some went as far as to say an open source product would have prevented the incident from ever having occurred and called for more open source in crypto ecosystems.
âIt looks like the Solana hack is caused by Slope wallet sending the user's seed in plaintext to the company's server,â tweeted Zach Hebert (@zachherbert), cofounder & CEOÂ of Foundation Devices, a builder of Bitcoin-centric tools. âThis is why open source is so important. Code needs to be auditable, users need the freedom to build the app from source code.â
Unfortunately, the other big takeaway here is that in the world of cryptocurrency, this kind of large-scale theft is common. Only days before the Slope attack, crypto start-up Nomad lost $190 million in digital currency in a massive exploit. In this instance, the attack was the result of a vulnerability in Nomadâs code.
Nomad tweeted a post offering a 10 percent anyone to anyone who returns at least 90 percent of their share of the stolen funds. So far, some of the stolen funds have been returned, but the story continues to develop.
 |
