Confused wallet user | Bitcointalksearch.org

Baofeng

legendary

Activity: 2576

Merit: 1655

Quote from: zasad@ on August 06, 2022, 07:06:30 AM

Quote from: Vvang on August 05, 2022, 07:06:25 AM

I am confused right now, I did some research on the solana hack I I came to understand that slope wallet is the main issue, my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

If you need secure storage, then use hardware wallets. They are configured without connecting to a computer and your seed phrase is safe. Mobile wallets are not secure and are the most vulnerable to hacking. For solana, you can use a ledger or trezor, they are compatible with the defi ecosystem.

Or maybe an air-gap wallet could also be a good options for us. Regarding the question about the Slope wallet, yes they are to liable. Although they said that they are cooperating with Ottersec to collect all data so that they can make a post mortem report.

They even have an address now for the hackers if ever they decided to return and get the bounty they offered (I doubt it though). So maybe there could be people who can monitor this wallet: DyQ96GwjkHkGSzYEB4NaPk2NxsXyRTMNHKJQd3fziABf

https://twitter.com/slope_finance

zasad@

legendary

Activity: 1932

Merit: 4602

Buy on Amazon with Crypto

Quote from: Vvang on August 05, 2022, 07:06:25 AM

I am confused right now, I did some research on the solana hack I I came to understand that slope wallet is the main issue, my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

If you need secure storage, then use hardware wallets. They are configured without connecting to a computer and your seed phrase is safe. Mobile wallets are not secure and are the most vulnerable to hacking. For solana, you can use a ledger or trezor, they are compatible with the defi ecosystem.

Yaunfitda

hero member

Activity: 2870

Merit: 594

Quote from: Vvang on August 05, 2022, 07:06:25 AM

I am confused right now, I did some research on the solana hack I I came to understand that slope wallet is the main issue, my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

Obviously, that shouldn't be the case, no mnemonic phrase should be save anywhere in the internet, not in a 3rd party centralized server. And so this is the biggest mistakes that the Slope wallet developer or who ever is in charge, it's clearly negligence on their part. So that is the answer to your question, no, wallet backups should not be in any log file. Majority of us go into writing it and keeping it safe.

Jawhead999

legendary

Activity: 1820

Merit: 1207

Quote from: inanilujimi on August 06, 2022, 02:41:20 AM

Maybe they want to secure our wallets if something happens like lost phrases and ask them to be able to return the phrase, but it's a bit strange with this kind of thing, maybe they really want to sabotage as if it was an accident, but actually this is all slope itself .

I would say it's just an excuses and it's really a bad idea to do that in order to recover someone coins. Honestly I don't really believe if it's a hacker who hack their database, what if Slope team is the one who steal the coins and act like if they got hacked? Who knows. Trust is the main role here, if you can't trust Slope team is really genuine and trustworthy, it's better to use better wallet.

inanilujimi

sr. member

Activity: 1876

Merit: 259

Maybe they want to secure our wallets if something happens like lost phrases and ask them to be able to return the phrase, but it's a bit strange with this kind of thing, maybe they really want to sabotage as if it was an accident, but actually this is all slope itself .

lousie9

sr. member

Activity: 1680

Merit: 263

I also have never found a wallet that is really safe because any crime can be committed if they want especially with some third party wallet companies then all of them are very vulnerable to crime so when we decide to invest in crypto then we are 50% willing to lose money. Therefore the most important thing is to choose a wallet company that has clear people in it so that when something happens they can be held accountable.

BIT-BENDER

hero member

Activity: 1666

Merit: 709

Playbet.io - Crypto Casino and Sportsbook

I haven’t gotten Solana yet and infact there aren’t any Altcoins owned by me personally reasons but why aren’t people just consistent with more renounced exchange like Trust wallet (I know no exchange is completely safe but you better off with them) Altcoins has resulted into the use of several exchanges that can just fit into the particular coin people want to purchase this and more reasons has made it a no go area for me yet.

vv181

legendary

Activity: 1932

Merit: 1273

https://nitter.net/Zellic_io/status/1554936143220617216

Quote from: Vvang on August 05, 2022, 07:06:25 AM

my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this?

It is because Slope Wallet is a shitty wallet. The fact it's closed-source should be enough reason to stay away from those kinds of wallets.

And to be precise, the wallet does not back up the seed phrase into a log file, instead, it is undue diligence from their developer to not put enough effort to wholly comprehend what the freaking third-party software(Sentry) does into their app. As in result, users' funds are stolen.

Considering the two referenced Twitter accounts, which is a blockchain audit companies, does indeed indicate the main issue, an interesting take is this:

Quote

**Hypothetically**, an attacker *with access to Sentry* could go through event logs and steal the thousands of mnemonics leaked in the past week

User seed phrases are logged into the log file which is being sent into a centralized server ~~owned~~managed by Slope. By that fact, who else could access and compromise the main issue of a leaked seed phrase?

FirmWars

member

Activity: 242

Merit: 86

Very soon people will be more friendly with hardware wallets wether they like it or not, no one will have peace of mind holding tokens and coins in any wallet except hardware wallets and truth be told, nothing beats hardware wallets, better use 200$ to buy hardware wallet or risk losing 1000$ worth of token in such manner.

noorman0

hero member

Activity: 1778

Merit: 709

[Nope]No hype delivers more than hope

Quote from: Vvang on August 05, 2022, 07:06:25 AM

-snip-
my question is why are wallets backing up users recovery phrases in a log file?

I think it's used to remember login credentials or when authorization permissions to third party apps are enabled.

Quote from: Vvang on August 05, 2022, 07:06:25 AM

Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

Generally, the app will create a separate log file in a special folder elsewhere.
I don't know where you got this information from, if it's true then it means they have the most vulnerable security system for a crypto wallet.

CryptoATM

member

Activity: 368

Merit: 15

I am not surprised, many new projects like exchanges and wallets are growing this days and many of them don't know what they are doing, the majority aren't even qualified personal but most investors don't care, I have a reason for using trust wallet and that's because its from binance exchange.

Apocollapse

hero member

Activity: 1148

Merit: 796

Quote

On Thursday morning, Otter, a security firm focused on Solana, reported that the Slope’s wallet app sent out users' seed phrases to a centralized server. Slope hired this server from a company called Sentry.

It added that seed phrases passed to Slope's server were saved in the form of readable text. Since the phrases were not encrypted, anybody with access to this specific Sentry server could potentially access users’ private keys. The low security standard likely led to the breach giving hackers the ability to acquire the seed phrases and drain funds.
https://www.theblock.co/post/161425/slope-wallet-provider-saved-user-seed-phrases-in-plain-text-solana-security-researchers-find

This wallet have very bad security since they save the seed phrases on plain text and were not encrypted, if hacker can find the vulnerabilities of the server, he can get the seed phrases very easy. More offer this is a web wallet where it's have higher chance to get hacked.

Did other wallet will do same like this one? Yes, especially to those web wallet that didn't care with their security. That's why you need to use hardware wallet or air gapped wallet to prevent this kind attack.

Ketesnuko

member

Activity: 233

Merit: 12

Wallet recovery seed stored in a log file? If that doesn't turn you off I don't know what will, this shows that this wallet sucks, even if the team behind the wallet are loyal their ways of handling security sucks.

tranthidung

legendary

Activity: 2310

Merit: 4085

Farewell o_e_l_e_o

Quote from: Vvang on August 05, 2022, 07:06:25 AM

I am confused right now, I did some research on the solana hack I I came to understand that slope wallet is the main issue, my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

I don't follow this accident on Solana but "why are wallets backing up users recovery phrases in a log file" means you don't own keys of your wallet.

The wallet has a backup (recovery phrase) of your wallet and it is terrible. It means at least two entities own wallet keys: you and that wallet company. Do you think they won't do scam exit and steal all your money?

A good wallet to use is a non custodial wallet:

You are the only entity to own your wallet key.
That wallet software does not own your wallet key in any format (log file, wallet file etc.)
Even with non custodial wallet, to increase your safety, you should turn off Internet connection before creating a wallet.

NeuroticFish

legendary

Activity: 3668

Merit: 6382

Looking for campaign manager? Contact icopress!

Quote from: Vvang on August 05, 2022, 07:06:25 AM

my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

I'm not into that altcoin (actually I care only of 1-2 altcoins), so I don't know about that altcoin and that particular wallet.
But you have to keep in mind that the newer the altcoin, or the wallet, or whatever software is, the more likely to have bugs or even logic errors.

Now to your question: logging recovery phrases is clearly a newbishly stupid mistake, I expect that the vast majority doesn't do that. Bitcoin Core and Electrum don't do that.

Vvang

jr. member

Activity: 38

Merit: 18

I am confused right now, I did some research on the solana hack I I came to understand that slope wallet is the main issue, my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this? Are other wallets like this?...

Topic: Confused wallet user (Read 170 times)