Seed Phrase Compromise May Have Caused Solana Wallets Drain'No Evidence' That Solana Protocol of Cryptography Compromised
Initial investigations into an attack that drained up to $8 million from internet-connected wallets on the Solana blockchain point to a breakdown in cryptographic secrecy.
There's currently "no evidence" that the Solana protocol or its cryptography were compromised, the blockchain's twitter accounts says. Blockchain investigations firm PeckShield estimates digital thieves stole about $8 million from Solana investors in an attack that likely began Tuesday morning. More recent estimates of the theft's total value come in lower, with cybersecurity firm OtterSec now assessing losses to be $4 million (see: Hackers Steal $8M in Ongoing Attack on Solana Hot Wallets).
The nearly 8,000 affected addresses were all "at one point created, imported, or used in Slope mobile wallet applications," Solana says. It came to that conclusion after an investigation conducted by developers, ecosystem teams and security auditors.
"While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service," Solana says.
Confirming this, OtterSec says it "independently confirmed" that Slope's mobile app sent to a centralized Sentry service server what's known as a mnemonic code.
A mnemonic code, also known as a seed phrase, is a list of words that users choose when establishing a new wallet. It is meant to be kept a secret. Mnemonics are a backup mechanism in case users lose the private cryptographic key matched to the wallet, but anyone who possesses the list can take control of a wallet. OtterSec says the seed phrases transmitted on the Sentry server were not encrypted.
That scenario is the likely cause for at least some of the exploited wallets, says Robert Chen, founder of OtterSec. "This means that Slope's logging sends off private key data to its centralized logging servers, which potentially was compromised at some point," he tells Information Security Media Group.
The company continues to investigate alternative attack vectors, Chen says, since not all hacked addresses could be accounted for through an examination of Sentry logs. "Approximately 1,400 of the addresses in the exploit were present in Sentry logs," it says. "We are still investigating this discrepancy and possible other vectors."
Slope adds that server-side logging was removed "as soon as the vulnerability was discovered."
"At this moment, 1444 (15%) of the 9223 wallets affected could potentially be traced back to this vulnerability," it says.
The company also found more than 5,300 private keys on Sentry that were not part of the exploit. "2,358 of these addresses have tokens in them. If you used Slope, PLEASE MOVE YOUR FUNDS," the company says.
In a statement, Slope says "nothing is yet firm" about the breach's cause. It nonetheless recommends that users of internet-connected wallets create a new seed phrase. Hardware wallets are unaffected by the incident.
In contrast to hot wallets, cold wallets - or hard wallets - are not connected to the web and typically USB drives that need to be plugged into a system to carry out transactions. Users should not reuse their cold wallet seed phrases.
Slope also recommends that users create a new seed phrase in a new wallet until the root cause of the attack is confirmed.
Slope also says law enforcement agencies have been informed in order to proceed with criminal investigations against the attackers. It did not specify how many attackers there were or who they are, but on Wednesday said it had identified four wallets as associated with the hackers.
Solana recommends that the drained wallets be "treated as compromised, and abandoned." For those whose wallets were not drained, it recommends the use of hard wallets to store funds.