Experts Review the Probable Cause of the Hack

16 August 16:23

[TL; DR]

🔹 Solana Foundation and Phantom blame Slope for the wallet hacking incident.

🔹 The hackers accessed seed phrases and private keys of the wallets they exploited.

🔹 Although Slope wallet admits that there was a vulnerability in their wallet product, it maintains that there is no proof that the hackers compromised its system.

🔹 Users can secure their digital assets by using cold wallets and self-custody wallets.

Introduction

On 2 August hackers stole millions of Solana tokens and other cryptocurrencies when they exploited the Solana wallet. Although various investigations have taken place, there is no verified conclusion of what exactly took place. In fact, the parties involved - Solana Foundation, Slope and Phantom- are passing the blame on each other. However, the hackers stole more cryptocurrency from the Phantom wallets than from Slope ones.

Both Slope and Phantom provide mobile phone wallets for cryptocurrencies for the Solana blockchain. For example, Slope has wallet applications for Android and iOS. Solscan, the blockchain explorer for the Solana network, has provided additional information on the wallet hacking incident. It produced vital statistics on the quantities of specific cryptocurrencies which the hackers stole. As an example, Solscan divulged that the exact number of crypto wallets that were exploited was 10,557, as reflected on its platform.

Source: Solscan

It has also given an exact monetary value of the cryptocurrencies the hackers syphoned from the Solana blockchain. They displayed this data in the following graph.

Source: Solscan

In addition, Solscan has provided the distribution of the stolen tokens in terms of percentages, as shown in the pie chart below.

Source: Solscan

This pie chart shows, for example, that 44.7% of the stolen cryptocurrencies were USDC while 26.4% were SOL tokens. Furthermore, Solscan provides the specific wallet addresses the hackers transferred the stolen cryptocurrencies to.

Source: Solscan

Experts’ views of what happened

At present, there is no verified explanation of how the hackers exploited the Solana wallets. However, most of the experts believe the hackers extracted important wallet information from one of the system servers. In fact, the experts believe the hackers got the seed phrases of the wallets and the private keys. This is because the system shows that the owners of the wallets authorized the transaction. Here, the hackers acted as if they were the real wallet owners. Basically, the analysts believe that the Slope wallet app sent unencrypted seed phrases to the server, resulting in anyone who accessed it to get them.

15% of the affected wallets were exploited in this way. Sometimes, the investigators found exposed private keys of 5 300 wallet addresses. However, the hackers did not breach these wallets. Meanwhile, Solana has informed the law enforcement agency about the hacking and the cryptocurrency theft in order to get its help.

Solana’s view of the hacking incident

Solana believes that the Slope wallet system exposed the users’ private keys. This is because most of the hacked wallets belonged to Slope. Also, there were transactions between Slope and the Phantom wallets which were hacked. Thus, Solana speculates that the Slope wallet app could have sent the private keys to the app’s events log in the Sentry service. As a result, the hackers could have accessed the entry logging services and got hold of the affected users’ private keys. Commenting on its infrastructure, Solana said, "This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network."

Solana has urged every wallet holder to “create a new and unique seed phrase wallet, and transfer all assets to this new wallet." In all, Solana blames the Slope wallet system for the hacking incident. As a fact, Slope is a browser extension and wallet application system used for sending and receiving cryptocurrencies.

Phantom’s view of Solana wallet hack

Phantom has the same view as Solana that the hackers exploited the Slope system. During importing accounts to and from Slope, there was relaying of the users’ data, such as private keys and seed phrases. Therefore, a point of failure on the Slope system exposed these vital data to the hackers. As a result, the hackers also stole cryptocurrencies from Phantom’s wallets. Phantom said, "Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from Slope. We are still actively working to identify whether there may have been other vulnerabilities that contributed to this incident.”

Solana raised the same concern. It said, "After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications."

However, Solana still maintains that the investigation is still ongoing. It added, "While the details of exactly how this occurred are still under investigation, private key information was inadvertently transmitted to an application monitoring service. There is no evidence the Solana protocol or its cryptography was compromised."

Slope’s point of view

Although Slope admits that most of the victims of the hack were its users, it does not accept the total responsibility for the incident. So far, it has confirmed that it is working with several external security experts and auditors to determine the exact point of failure. Slope also admitted that there was a serious vulnerability on the mobile product but refuted that there was a point of failure on its system that resulted in the loss of the cryptocurrencies.

Lessons from the Solana wallet hack

Brian Norton, COO of MyEtherWallet said that what happened to Solana can also occur to any blockchain. He opines it is not secure to use “close-sourced centralized infrastructure.” He advises people to use self-custody wallets rather than centralized ones. This is because with self-custody wallets, “Your keys are your keys when you sign out of your wallets. Then nobody else has access to it, including us," he added. He emphasized that if the keys exist on a central server once hackers exploit it, the users lose their digital assets. Accordingly, the best thing to do is to use a cold wallet since hackers cannot easily exploit it.

Conclusion

The Solana wallet hack has exposed how vulnerable hot wallets are. Here, the hackers drained cryptocurrencies from web-based wallets but not from hard wallets. Unfortunately, this hacking incident has tainted a bad image of Solana as a competitor of Ethereum. Sadly, the Solana blockchain has experienced many blockchain downtimes and security breaches, something which can scare users from it. However, since investigations are still ongoing, the best we can do is to wait for more information on what exactly took place.

Author: Mashell C., Gate.io Researcher
This article represents only the views of the researcher and does not constitute any investment suggestions.
Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all cases, legal action will be taken due to copyright infringement.