Experts find private keys on Slope servers, still puzzled over access

Blockchain audit­ing firms are still try­ing to fig­ure out how hack­ers gained access to about 8,000 pri­vate keys used to drain Solana-based wallets. 

Inves­ti­ga­tions are ongo­ing after attack­ers man­aged to steal some $5 mil­lion worth of SOL and SPL tokens on Aug. 3. Ecosys­tem par­tic­i­pants and secu­ri­ty firms are assist­ing in uncov­er­ing the intri­ca­cies of the event. 

Solana has worked close­ly with Phan­tom and Slope.Finance, the two SOL wal­let providers that had user accounts affect­ed by the exploits. It has since emerged that some of the pri­vate keys that were com­pro­mised were direct­ly tied to Slope. 

Blockchain audit and secu­ri­ty firms Otter Secu­ri­ty and SlowMist assist­ed in ongo­ing inves­ti­ga­tions and unpacked their find­ings in direct cor­re­spon­dence with Cointelegraph. 

Otter Secu­ri­ty founder Robert Chen shared insights from first-hand access to affect­ed resources in col­lab­o­ra­tion with Solana and Slope. Chen con­firmed that a sub­set of affect­ed wal­lets had pri­vate keys which were present on Slope’s Sen­try log­ging servers in plaintext:

“The work­ing the­o­ry is that an attack­er some­how exfil­trat­ed these logs and were able to use this to com­pro­mise the users. This is still an ongo­ing inves­ti­ga­tion, and cur­rent evi­dence does not explain all of the com­pro­mised accounts.”

Chen also told Coin­tele­graph that some 5,300 pri­vate keys which were not a part of the exploit were found in the Sen­try instance. Near­ly half of these address­es still have tokens in them — with users urged to move funds if they have not done so already.

The SlowMist team came to a sim­i­lar con­clu­sion after being invit­ed to ana­lyze the exploit by Slope. The team also not­ed that the Sen­try ser­vice of Slope Wal­let col­lect­ed the user’s mnemon­ic phrase and pri­vate key and sent it to o7e.slope.finance. Once again, SlowMist could not find any evi­dence explain­ing how the cre­den­tials were stolen. 

Coin­tele­graph also reached out to Chainal­y­sis, which con­firmed that it was car­ry­ing out blockchain analy­sis on the inci­dent after shar­ing ini­tial find­ings online. The blockchain analy­sis firm also not­ed that the exploit main­ly affect­ed users that had import­ed accounts to or from Slope.Finance.

While the inci­dent absolves Solana from bear­ing the brunt of the exploit, the sit­u­a­tion has high­light­ed the need for audit­ing ser­vices of wal­let providers. SlowMist rec­om­mend­ed that wal­lets should be audit­ed by mul­ti­ple secu­ri­ty com­pa­nies before release and called for open source devel­op­ment to increase security. 

Chen said that some wal­lets providers had “flown under the radar” when it came to secu­ri­ty when com­pared to decen­tral­ized appli­ca­tions. He hopes to see the inci­dent shift user sen­ti­ment towards the rela­tion­ship between wal­lets and val­i­da­tion from exter­nal secu­ri­ty partners.