Author

Topic: Solana Slope Wallet Vulnerabilities (Read 225 times)

legendary
Activity: 1932
Merit: 1273
August 19, 2022, 02:52:28 AM
#22
A week late, but in case anyone is interested and hasn't heard any new updates about the issue. Here it is.

To the Slope Community,

Thank you for your support and patience over the course of the last week. We apologize for not being more communicative during these challenging times.

It is important to us that we provide you with independently verified facts and a solid plan for the near future, rather than adding to further speculation. Starting from day one, the team has been focused on investigating the root cause of the wallet hack incident and the recovery of assets. We have been working tirelessly over the last week with the auditors OtterSec and SlowMist, and the cybercrime firm TRM. The auditors received full access to all databases, data pipelines, server logs, and application source code. The auditors’ investigations are nearing their conclusion, and we feel it’s now appropriate to provide regular updates.

Before we get to that, we want first to say that we sincerely apologize to all those who were affected by the wallet hack last week. We are genuinely sorry for all the losses suffered and are doing everything we can to make it right.

Here are the most important findings from the independent audits:

    There was a vulnerability in the Slope on-premise 3rd-party application monitoring service on Slope Wallets on mobile from July 28th to August 3rd that inadvertently logged sensitive data in cases where the apps generated an error event.
    There is no evidence that all security layers (e.g., transmission and storage) were compromised. All the transmission to the 3rd-party application monitoring server is protected through HTTPS end-to-end encryption, and access to the 3rd-party application monitoring server is controlled through 3-factor authentication.
    As confirmed in previous interim reports from Ottersec, the investigation team has cross-compared all hacked addresses (9,232 addresses in total) vs. all exposed addresses from the vulnerability in the 3rd-party application monitoring database:
    -The number of all hacked addresses is larger than the total number of addresses ever exposed from the 3rd-party application monitoring server.
    -A fraction (1,444 addresses) of the total exposure from the 3rd-party application monitoring server has been confirmed drained in cross-comparison.

Although there is no conclusive evidence from the auditors to link the Slope vulnerability to the exploit, its very existence put a lot of assets in danger. This is nowhere near the security standard that Slope set out to establish and maintain, and we are deeply regretful of these occurrences. Security is paramount to us, and our user base is everything. We should never have let this happen.

We found no additional vulnerabilities during the investigation and intense scrutiny by multiple parties. Therefore, we believe the latest patched version of Slope Wallet is safe to use. The Slope team will continue to obtain regular audit reports and work with security professionals on a rolling basis.

We will work hard to earn your trust back, hunting down the hacker, recovering stolen assets, and making our users whole.

So where do we go from here?

Expect regular updates on the following topics:

    Detailed fact-sheet walk-throughs of the full scope of the vulnerability and everything we’ve learned and improved on going forward.
    A revamped product roadmap that doubles down on security.
    Details on the asset recovery measures for compromised wallets.

Thank you again for your patience and understanding as we work through this. Please monitor our official Twitter account (@slope_finance) for further updates.

Sincerely,
Slope Team

Unsatisfactory, I suppose. The compromised seed phrases are larger than the vulnerability from Slope Wallet, could it be an users that move their seed phrase to Slope or there is any further unknown vulnerability? And how could they can be so sure that all the compromised seed phrase has nothing to do with their own wallet?
legendary
Activity: 2884
Merit: 1117
August 08, 2022, 10:55:36 AM
#21
What I do not get is that SOL provided the fact that they do not have a fully functioning product way before, like it has been about a year since the first problem arise, and people ignored and then the price kept on going up, looking at it right now, I see that sol wallets are getting hacked, and people are still not selling it.

So, for the past 1 year SOL told the people of the world that it shouldn't be trusted and people are still trusting it for some reason. Is there any SOL investor here that could tell me why that is? I really want to know, for me it is an untrustworthy broken chain, and for some reason you hold it, why is that? And what makes you trust it?
hero member
Activity: 2156
Merit: 685
August 05, 2022, 08:09:04 AM
#20
I did not experience this abuse because I had always been distant to their left wallet. If I hold it, I will keep my left tokens in the exchanges, from now on, it has been an abuse that has really victimized many people, I think the problem here needs to be resolved. I usually see hackers as people interacting with 3rd party software, that is, people chasing free nft and free airdrops, they are being abused. Who should take responsibility here?
legendary
Activity: 1932
Merit: 4602
Buy on Amazon with Crypto
August 05, 2022, 07:31:19 AM
#19
The fault is on slope wallet devs, they should take responsibility for this losses because its simply their fault, also this will serve as a warning to people looking for new wallets to keep their tokens and coins.
The fault of the developers can only be when there is a proven intentional possibility of using this vulnerability.
I do not use this ecosystem, but I am interested in the possibilities of blocking USDT and USDS tokens on these wallets, because this is the main asset.
member
Activity: 234
Merit: 35
Moon.win
August 05, 2022, 07:09:00 AM
#18
The fault is on slope wallet devs, they should take responsibility for this losses because its simply their fault, also this will serve as a warning to people looking for new wallets to keep their tokens and coins.
hero member
Activity: 2660
Merit: 551
August 05, 2022, 06:43:04 AM
#17
^^ Wow, so the mnemonic phrase is there in plain text and that anyone who has knowledge has used it and hack the wallet. And how stupid it is for the people behind to design it like that?

@FirmWars - regardless though, it is still an exploit that could have been prevented if they are just very careful about the codes. And in the bear market, we don't need to hear when people losing money or reputation of a project has been tainted. Although it is not related to their protocol and it was in the Slope Wallet.
legendary
Activity: 2114
Merit: 1150
https://bitcoincleanup.com/
August 05, 2022, 06:12:39 AM
#16
Found this in another thread:

4/ The Slope Wallet for iOS and Android uses Sentry for event logging.

Any interaction in the app would trigger an event log.

Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, mnemonics were leaked to Sentry

s/o to
@sniko_
 for this screenshot:

member
Activity: 242
Merit: 86
August 05, 2022, 03:03:36 AM
#15
This hack is not big enough to make solana crash a lot and also it seems that freebies are the ones affceted, I meant those that love to claim free tokens and stuff, I am not a fan of solana and I don't think I will ever be.
legendary
Activity: 1932
Merit: 1273
August 04, 2022, 07:26:25 PM
#14
OP updated to reflect what's news.

Even though the communities are still finding out the actual issue/root causes of the vulnerabilities, major points that could be taken are:

- The issue is not related to the Solana protocol
- The issue is not related to web3 ecosystem supply chain attack
- The culprit of the issue is Slope Wallet
full member
Activity: 274
Merit: 101
August 04, 2022, 11:10:39 AM
#13
This seems like almost intentional exploits built in the paper network of Sol that can break down anytime if the 'hackers' want as they claim. How come a network with so many devs can't even verify and audit any code from 3rd party apps but still welcome them with open arm? LOL, still wonder why anyone still stays with Sol in nearly endless of crashes and outrages.
hero member
Activity: 1113
Merit: 507
Don't Get Involved
August 04, 2022, 02:50:32 AM
#12
Who still hold assets on Solana network and keep safety until now? every days I check with my friend talk me about loss their solona coin and have some of them with NFT network Solana. Exploit happening with Solana network give bad reputation for cryptocurrency because hold assets is not safe again, many time we hear about hacking and stolen assets not only on exchange market but also right now we got stolen on wallet network directly. What the next network not safety again for the future and we don't save assets there.
legendary
Activity: 2254
Merit: 1377
Fully Regulated Crypto Casino
August 04, 2022, 02:48:32 AM
#11
It was 100% already known that SOL has a lot of technical issues and yet people still do invest into it. In fact, so much so that people are not selling their SOL too much right now neither, if this gets big then maybe there will be a bit of a problem but we have not seen it get big at all.
Theres a lot of whale that hodl sol and even Sam has a lot of it thats why we cant see a major dump on it. Though some retailers already sold their bags, its not enough to put it down and to realize that theres too much error or mistakes on the network. Since big players wont let it dump, I think they will find a way to make it all fixed. I hate solana and Im a true blood Avalanche but the backers of this project is huge.
legendary
Activity: 3654
Merit: 1165
www.Crypto.Games: Multiple coins, multiple games
August 04, 2022, 02:00:33 AM
#10
It was 100% already known that SOL has a lot of technical issues and yet people still do invest into it. In fact, so much so that people are not selling their SOL too much right now neither, if this gets big then maybe there will be a bit of a problem but we have not seen it get big at all.

This means that even though they keep freezing the chain, even though they proved everyone they are centralized, even though there are some hackings going on, people are yet to see this project as a failed one. I have no idea why, I sold mine a long time ago and will never look back and anytime I hear about it, it is a bad one. But, people still do prefer it for some reason.
legendary
Activity: 1932
Merit: 1273
August 03, 2022, 11:40:07 PM
#9
EDIT 5: ETH maxis, let's not forget your $190m Nomad hack yesterday Smiley
It looks like they have a lot of time in their hands to engage in some network trash talks.
Darn it, I forgot to include that parts  Grin



Seems the investigation is still ongoing but looks like the community might have found the main culprit, which is the Slope wallet. And one point to note, this vulnerability isn't related to Solana protocol or Daaps.

New updates:

https://nitter.net/SolanaStatus/status/1554921396408647680
After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2

This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure.

While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service.  2/3

There is no evidence the Solana protocol or its cryptography was compromised. 3/3

Official statement from Slope Finance:

Dear Slope Community,

Here is what we know at this juncture regarding the breaches to our user base:

    A cohort of Slope wallets were compromised in the breach
    We have some hypotheses as to the nature of the breach, but nothing is yet firm
    We feel the community’s pain, and we were not immune. Many of our own staff and founders’ wallets were drained

Actions we are taking:

    We are actively conducting internal investigations and audits, working with top external security and audit groups
    We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify

While we have not fully confirmed the nature of the breach, in the spirit of safeguarding our user base, we recommend ALL Slope users do the following:

Create a new and unique seed phrase wallet, and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope.

If you are using a hardware wallet, your keys have not been compromised.

We are still actively diagnosing, and are committed to publishing a full post mortem, earning back your trust, and making this as right as we can.

Thank you,
Slope Team
legendary
Activity: 2114
Merit: 1150
https://bitcoincleanup.com/
August 03, 2022, 03:03:39 AM
#8
I neither use the network nor follow updates on Solana but every time I see posts about them, it's almost always about hacking indcidents. How many attacks has it been since it was launched? RIP to the affected wallets. Hopefully, none of them commit something horrible/tragic for losing their funds.

~
I don't think attackers would have gained millions from airdrop hunters.
I wouldn't underestimate the value of tokens/coins held by airdrop hunters because some of them use their main wallet for these purposes or just don't have other accounts.
legendary
Activity: 1932
Merit: 1273
August 03, 2022, 02:13:30 AM
#7
As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.
Yea, accumulating airdrop or free stuff does increase the chance of some users interacting with shady apps. For this specific issue the root causes are still uncertain, so it might be more than that.

hopefully they can migrate to hardware wallet ASAP.
According to Solana Foundation, it is indeed suggested since currently there are no hardware wallet users affected.



Some latest update from @SolanaStatus, the Twitter account is run by Solana Foundation.

https://nitter.net/SolanaStatus/status/1554658171934937090
[1]
Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.

This thread will be updated as new information becomes available.

[2]
An exploit allowed a malicious actor to drain funds from a number of wallets on Solana. As of 5am UTC approximately 7,767 wallets have been affected.

The exploit has affected several wallets, including Slope and Phantom. This appears to have affected both mobile and extension.

[3]
Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.

[4]
There’s no evidence hardware wallets have been impacted – and users are strongly encouraged to use hardware wallets.

Do not reuse your seed phrase on a hardware wallet - create a new seed phrase.

Wallets drained should be treated as compromised, and abandoned.

[5]
If your wallet was one of the 7,767 impacted please complete this survey – engineers are investigating the root cause
https://solanafoundation.typeform.com/to/Rxm8STIT?typeform-source=admin.typeform.com

And here is some shitshow Cheesy
EDIT 3: Many RPC servers have gone offline due to white-hat hackers purposefully DDOSing them to slow down the hacker. Currently, it seems like the main Solana RPC server run by Triton as well as QuickNode and Ankr have gone offline. PLEASE DO NOT DDOS RPC SERVERS! IT ONLY MAKES IT HARDER FOR SOLANA AND DEVS TO DIAGNOSE THE ISSUE.
legendary
Activity: 3010
Merit: 1028
Leading Crypto Sports Betting & Casino Platform
August 03, 2022, 12:53:55 AM
#6
I never used solana as i know how garbage this blockchain is after so many outages that happened before. Just see how stupid people who keep believing in this shit. The attack is still happening now and more than 7 millions USD already drained from so many personal wallet that owned by users.
Just wanna see how those people who got affected will be compensated. I never agreed to use the garbage blockchain and its ecosystem. How people are so dumb keep buying this shit in the market.
Ethereum killer? This blockchain may die soon. RIP solana.
hero member
Activity: 2520
Merit: 952
August 03, 2022, 12:31:20 AM
#5
Not affected, cause I don't use my address for claiming airdrop sir ~XD

As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.

I don't think attackers would have gained millions from airdrop hunters.
hero member
Activity: 1113
Merit: 507
Don't Get Involved
August 02, 2022, 11:06:30 PM
#4
Not affected, cause I don't use my address for claiming airdrop sir ~XD

As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.
Claiming airdrop or not I think better you move assets to hard ware wallet or to exchange because have many people become victim with Solana network exploit, few hour ago my friend told us he loss SOL fund saving on sol wallet and looks not safe keep hold and save your assets on Phantom or Sollet io. Before late and loss all your fund better save it on exchange wallet until the issues about Solana wallet exploit fix by developer.
hero member
Activity: 2632
Merit: 833
August 02, 2022, 10:49:30 PM
#3
Nah, I don't have SOL to be honest, but for sure there will be some of us here that might be affected by the exploit and hopefully they can migrate to hardware wallet ASAP.

And this is another sad day for crypto users, as the hackers seems to be always just one step of the game from this developers. And again, hopefully they can make a patch immediately.
legendary
Activity: 2660
Merit: 1261
August 02, 2022, 09:02:42 PM
#2
Not affected, cause I don't use my address for claiming airdrop sir ~XD

As always, in my opinion, the people who are getting this attacked most of the time it's from people are chasing airdrop and minted some free stuff on "Solana" since their network is being used because of its popularity in the past 6-12 month.
legendary
Activity: 1932
Merit: 1273
August 02, 2022, 08:56:54 PM
#1
It seems there are widespread exploit that happens within the Solana ecosystem. The causes are still unknown. A few sources I observed claim that revoking any apps from your Sol wallets doesn't help, looks like there is nothing you can do but migrate your Sol into cold storage or hardware wallet.

Suspected attacker wallets:
- https://solscan.io/account/CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu
- https://solscan.io/account/Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV

Reposted information from /r/solana:

ONGOING EXPLOIT ACROSS MANY SOLANA DAPPS

There are many gambling sites and NFT mint sites that are suspected to be involved in this attack. Millions of dollars are currently being drained from wallets. We are actively working with teams (including wallet providers) to investigate the issue further and attempt to mitigate the exploit.

PLEASE CHECK YOUR WALLETS TO ENSURE THAT YOUR FUNDS ARE SAFE. CONSIDER MOVING YOUR FUNDS TO A HARDWARE WALLET SUCH AS LEDGER.

Attacker wallets:https://solscan.io/account/CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEuhttps://solscan.io/account/Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV

I will share more updates at https://twitter.com/solblaze_org/status/1554621959870169089 as I continue to receive more information about this attack.

Further relevant information:

https://nitter.net/phantom/status/1554626111535026177
We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem. At this time, the team does not believe this is a Phantom-specific issue.

As soon as we gather more information, we will issue an update.

https://nitter.net/solblaze_org/status/1554628258963922944
It seems like this attack is mainly impacting browser and mobile wallets. We are actively working with teams to further investigate the issue and will continue to provide updates as we learn more.

https://nitter.net/solanafm/status/1554636582564417536
The community has identified these 4 wallets as the hackers & we have tagged them on our explorer.

CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu
Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3n
GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy



Thoughts? Does any of you here affected?



EDIT:
Some latest update from @SolanaStatus, the Twitter account is run by Solana Foundation.

https://nitter.net/SolanaStatus/status/1554658171934937090
[1]
Engineers from multiple ecosystems, with the help of several security firms, are investigating drained wallets on Solana. There is no evidence hardware wallets are impacted.

This thread will be updated as new information becomes available.

[2]
An exploit allowed a malicious actor to drain funds from a number of wallets on Solana. As of 5am UTC approximately 7,767 wallets have been affected.

The exploit has affected several wallets, including Slope and Phantom. This appears to have affected both mobile and extension.

[3]
Engineers are currently working with multiple security researchers and ecosystem teams to identify the root cause of the exploit, which is unknown at this time.

[4]
There’s no evidence hardware wallets have been impacted – and users are strongly encouraged to use hardware wallets.

Do not reuse your seed phrase on a hardware wallet - create a new seed phrase.

Wallets drained should be treated as compromised, and abandoned.

[5]
If your wallet was one of the 7,767 impacted please complete this survey – engineers are investigating the root cause
https://solanafoundation.typeform.com/to/Rxm8STIT?typeform-source=admin.typeform.com

And here is some shitshow Cheesy
EDIT 3: Many RPC servers have gone offline due to white-hat hackers purposefully DDOSing them to slow down the hacker. Currently, it seems like the main Solana RPC server run by Triton as well as QuickNode and Ankr have gone offline. PLEASE DO NOT DDOS RPC SERVERS! IT ONLY MAKES IT HARDER FOR SOLANA AND DEVS TO DIAGNOSE THE ISSUE.



EDIT1:
Seems the investigation is still ongoing but looks like the community might have found the main culprit, which is the Slope wallet. And one point to note, this vulnerability isn't related to Solana protocol or Daaps.

New updates:

https://nitter.net/SolanaStatus/status/1554921396408647680
After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2

This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure.

While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service.  2/3

There is no evidence the Solana protocol or its cryptography was compromised. 3/3

Official statement from Slope Finance:

Dear Slope Community,

Here is what we know at this juncture regarding the breaches to our user base:

    A cohort of Slope wallets were compromised in the breach
    We have some hypotheses as to the nature of the breach, but nothing is yet firm
    We feel the community’s pain, and we were not immune. Many of our own staff and founders’ wallets were drained

Actions we are taking:

    We are actively conducting internal investigations and audits, working with top external security and audit groups
    We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify

While we have not fully confirmed the nature of the breach, in the spirit of safeguarding our user base, we recommend ALL Slope users do the following:

Create a new and unique seed phrase wallet, and transfer all assets to this new wallet. Again, we do not recommend using the same seed phrase on this new wallet that you had on Slope.

If you are using a hardware wallet, your keys have not been compromised.

We are still actively diagnosing, and are committed to publishing a full post mortem, earning back your trust, and making this as right as we can.

Thank you,
Slope Team



EDIT2:

https://nitter.net/Austin_Federa/status/1554935012386037760
We spun up a Typeform to collect data and the results were clear – of those drained ~60% were Phantom users and 40% Slope users. But after extensive interviews and requests to the community, we couldn't find a single Phantom-forever user who had their wallet drained
~
The investigations are ongoing, and I can't stress enough the importance of creating a new seed phrase in a non-slope wallet, and moving any assets you have in a Slope hot wallet over.

Then go buy a hardware wallet.
~
And what about the ETH users drained?

Turns out, they'd been using their Solana BIP39 phrase in Ethereum, too! So the hacker inadvertently was able to access assets stored on ETH.

From the outside, it was indistinguishable from a supply chain attack.



EDIT3:

https://nitter.net/Zellic_io/status/1554936143220617216
1/ First, the following theories are considered very unlikely and entirely rejected:

- issues in Solana core
- issues in SPL token
- crypto issues (e.g. weak RNGs)
- widespread user devices compromise
- supply chain (compromised libraries)

2/ In the war room, we first hypothesized that wallets may be leaking mnemonics or private keys to Sentry.

After further investigation with the community, this is what we found:

3/ First, let's talk about Sentry.

Sentry is an event logging platform used for reporting errors in apps.

If a certain event occurs in the app, a request containing the details & environment is logged to the company's Sentry.

Many companies use Sentry on websites & mobile.

4/ The Slope Wallet for iOS and Android uses Sentry for event logging.

Any interaction in the app would trigger an event log.

Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, mnemonics were leaked to Sentry

s/o to @sniko_
 for this screenshot: https://pbs.twimg.com/media/FZQ-MU6VQAAHh0a?format=jpg&name=4096x4096

5/ However, Slope has been using Sentry for only 1 week now.

**Hypothetically**, an attacker *with access to Sentry* could go through event logs and steal the thousands of mnemonics leaked in the past week

Then drain thousands of wallets.
~

https://nitter.net/osec_io/status/1555087555351420928
We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
-
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.
-
Slope has been very helpful in sharing data related to the hack. We received the database 4:45 PM UTC August 3rd and immediately began our investigation. The Sentry logs spanned between July 28th and August 3rd.
-
Approximately 1,400 of the addresses in the exploit were present in Sentry logs. Notably, this does not account for all the hacked addresses.

We are still investigating this discrepancy and possible other vectors.
-
Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them. If you used Slope, PLEASE MOVE YOUR FUNDS
Jump to: