Topic: Solana Slope Wallet Vulnerabilities (Read 191 times)

To the Slope Community,

Thank you for your support and patience over the course of the last week. We apologize for not being more communicative during these challenging times.

It is important to us that we provide you with independently verified facts and a solid plan for the near future, rather than adding to further speculation. Starting from day one, the team has been focused on investigating the root cause of the wallet hack incident and the recovery of assets. We have been working tirelessly over the last week with the auditors OtterSec and SlowMist, and the cybercrime firm TRM. The auditors received full access to all databases, data pipelines, server logs, and application source code. The auditors’ investigations are nearing their conclusion, and we feel it’s now appropriate to provide regular updates.

Before we get to that, we want first to say that we sincerely apologize to all those who were affected by the wallet hack last week. We are genuinely sorry for all the losses suffered and are doing everything we can to make it right.

Here are the most important findings from the independent audits:

    There was a vulnerability in the Slope on-premise 3rd-party application monitoring service on Slope Wallets on mobile from July 28th to August 3rd that inadvertently logged sensitive data in cases where the apps generated an error event.
    There is no evidence that all security layers (e.g., transmission and storage) were compromised. All the transmission to the 3rd-party application monitoring server is protected through HTTPS end-to-end encryption, and access to the 3rd-party application monitoring server is controlled through 3-factor authentication.
    As confirmed in previous interim reports from Ottersec, the investigation team has cross-compared all hacked addresses (9,232 addresses in total) vs. all exposed addresses from the vulnerability in the 3rd-party application monitoring database:
    -The number of all hacked addresses is larger than the total number of addresses ever exposed from the 3rd-party application monitoring server.
    -A fraction (1,444 addresses) of the total exposure from the 3rd-party application monitoring server has been confirmed drained in cross-comparison.

Although there is no conclusive evidence from the auditors to link the Slope vulnerability to the exploit, its very existence put a lot of assets in danger. This is nowhere near the security standard that Slope set out to establish and maintain, and we are deeply regretful of these occurrences. Security is paramount to us, and our user base is everything. We should never have let this happen.

We found no additional vulnerabilities during the investigation and intense scrutiny by multiple parties. Therefore, we believe the latest patched version of Slope Wallet is safe to use. The Slope team will continue to obtain regular audit reports and work with security professionals on a rolling basis.

We will work hard to earn your trust back, hunting down the hacker, recovering stolen assets, and making our users whole.

So where do we go from here?

Expect regular updates on the following topics:

    Detailed fact-sheet walk-throughs of the full scope of the vulnerability and everything we’ve learned and improved on going forward.
    A revamped product roadmap that doubles down on security.
    Details on the asset recovery measures for compromised wallets.

Thank you again for your patience and understanding as we work through this. Please monitor our official Twitter account (@slope_finance) for further updates.

Sincerely,
Slope Team

The fault is on slope wallet devs, they should take responsibility for this losses because its simply their fault, also this will serve as a warning to people looking for new wallets to keep their tokens and coins.

It was 100% already known that SOL has a lot of technical issues and yet people still do invest into it. In fact, so much so that people are not selling their SOL too much right now neither, if this gets big then maybe there will be a bit of a problem but we have not seen it get big at all.

It looks like they have a lot of time in their hands to engage in some network trash talks.

After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2

This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure.

While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service.  2/3

There is no evidence the Solana protocol or its cryptography was compromised. 3/3

Dear Slope Community,

Here is what we know at this juncture regarding the breaches to our user base:

    A cohort of Slope wallets were compromised in the breach
    We have some hypotheses as to the nature of the breach, but nothing is yet firm
    We feel the community’s pain, and we were not immune. Many of our own staff and founders’ wallets were drained

Actions we are taking:

    We are actively conducting internal investigations and audits, working with top external security and audit groups
    We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify

While we have not fully confirmed the nature of the breach, in the spirit of safeguarding our user base, we recommend ALL Slope users do the following:

Create a new and unique seed phrase wallet, and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope.

If you are using a hardware wallet, your keys have not been compromised.

We are still actively diagnosing, and are committed to publishing a full post mortem, earning back your trust, and making this as right as we can.

Thank you,
Slope Team

~
I don't think attackers would have gained millions from airdrop hunters.

As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.

hopefully they can migrate to hardware wallet ASAP.

[1]
Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.

This thread will be updated as new information becomes available.

[2]
An exploit allowed a malicious actor to drain funds from a number of wallets on Solana. As of 5am UTC approximately 7,767 wallets have been affected.

The exploit has affected several wallets, including Slope and Phantom. This appears to have affected both mobile and extension.

[3]
Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.

[4]
There’s no evidence hardware wallets have been impacted – and users are strongly encouraged to use hardware wallets.

Do not reuse your seed phrase on a hardware wallet - create a new seed phrase.

Wallets drained should be treated as compromised, and abandoned.

[5]
If your wallet was one of the 7,767 impacted please complete this survey – engineers are investigating the root cause
https://solanafoundation.typeform.com/to/Rxm8STIT?typeform-source=admin.typeform.com

EDIT 3: Many RPC servers have gone offline due to white-hat hackers purposefully DDOSing them to slow down the hacker. Currently, it seems like the main Solana RPC server run by Triton as well as QuickNode and Ankr have gone offline. PLEASE DO NOT DDOS RPC SERVERS! IT ONLY MAKES IT HARDER FOR SOLANA AND DEVS TO DIAGNOSE THE ISSUE.

Not affected, cause I don't use my address for claiming airdrop sir ~XD

As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.

Not affected, cause I don't use my address for claiming airdrop sir ~XD

As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.