Curated commentary; timely topics View web version

“We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server,” tweeted Otter (@osec_io). “These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.”

Slope, in response, issued a statement and said while nothing was official, they were advising precautions.

“While we have not fully confirmed the nature of the breach, in the spirit of safeguarding our user base, we recommend ALL Slope users do the following: Create a new and unique seed phrase wallet and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope.”

Solana, which initially bore the brunt of bad press, was quick to point out that the hack was not on them, and instead on the part of the third-party wallet provider.

“This wasn’t a Solana wallet hack, it was a hack of a wallet that supported Solana. Not a protocol level thing,” tweeted Austin Federa (@Austin_Federa), head of communications at Solana Foundation. “The investigations are ongoing, and I can't stress enough the importance of creating a new seed phrase in a non-Slope wallet and moving any assets you have in a Slope hot wallet over. Then go buy a hardware wallet,” he also noted.


Cold feet on hot wallets and other lessons

Federa’s comment points to an important takeaway about the attack. The exploit only impacted "hot" wallets, software wallets that are connected to the internet and allow users to store and send tokens. Hardware wallets, or “cold wallets,” are physical devices that offer more security and were not impacted.

“Software wallets are only as secure as the devices they run on,” tweeted a crypto-enthusiast with the handle @DSentralized in an informative thread on the incident. “Because of the large variety of applications that are run on these devices, and the fact that they are connected to the internet, the potential attack surface is large and that could be due to malware or exploits.”

Another point frequently discussed about the hack was the importance of open source. Some went as far as to say an open source product would have prevented the incident from ever having occurred and called for more open source in crypto ecosystems.

“It looks like the Solana hack is caused by Slope wallet sending the user's seed in plaintext to the company's server,” tweeted Zach Hebert (@zachherbert), cofounder & CEO of Foundation Devices, a builder of Bitcoin-centric tools. “This is why open source is so important. Code needs to be auditable, users need the freedom to build the app from source code.”

Unfortunately, the other big takeaway here is that in the world of cryptocurrency, this kind of large-scale theft is common. Only days before the Slope attack, crypto start-up Nomad lost $190 million in digital currency in a massive exploit. In this instance, the attack was the result of a vulnerability in Nomad’s code.

Nomad tweeted a post offering a 10 percent anyone to anyone who returns at least 90 percent of their share of the stolen funds. So far, some of the stolen funds have been returned, but the story continues to develop.
 

How are we doing? We’d love to hear how you like this newsletter. Email us at idgnewsletters@idg.com

More on cryptocurrency security :

Skyrocketing cryptocurrency bug bounties expected to lure top hacking talent

Bounties as high as $10 million dollars make hunting cryptocurrency vulnerabilities lucrative for those with the proper skillsets. It might eventually drive up fees for traditional bounties, too. Read More.

 

Cryptojacking explained: How to prevent, detect, and recover from it

Criminals are using ransomware-like tactics and poisoned websites to get your employees’ computers to mine cryptocurrencies. Here’s what you can do to stop it. Read More.

 

How blockchain investigations work

Blockchain intelligence companies can trace bitcoin and other cryptocurrency transactions to help ransomware victims understand who the attacker is and perhaps how they can get their money back. Read More.

 

About the Author
Joan Goodchild is a veteran writer and editor with 20+ years experience. She writes about information security and strategy and is the former editor in chief of CSO. 

Linkedin Facebook Twitter YouTube
Privacy Policy | Manage Your Subscriptions | Unsubscribe
Advertise with us! | More Newsletters | Our Brands
©2022 IDG Communications, Inc.
140 Kendrick Street
Building B
Needham, MA 02494