Blockchain audit firms are still trying to figure out how hackers gained access to the roughly 8,000 private keys used to empty Solana-based wallets.
The investigation continues after the attackers managed to steal about $5 million worth of SOL and SPL tokens on August 3rd. Ecosystem members and security firms help unravel the ins and outs of this event.
Solana worked closely with Phantom and Slope.Finance, two SOL wallet providers whose accounts were affected by the exploits. It has since emerged that some of the compromised private keys were directly related to Slope.
Blockchain audit and security firms Otter Security and SlowMist have assisted with ongoing investigations and unpacked their findings in direct correspondence with Cryptooshala.
Otter Security founder Robert Chen shared his thoughts on personal access to affected resources in collaboration with Solana and Slope. Chen confirmed that a subset of the affected wallets had private keys that were present on the Slope Sentry registration servers in clear text:
“The working theory is that the attacker somehow filtered these logs and was able to use them to compromise users. This is still an ongoing investigation and the available evidence does not explain all of the compromised accounts.”
Chen also told Cryptooshala that about 5,300 private keys were found in the Sentry instance that were not part of the exploit. Almost half of these addresses still have tokens – users are strongly encouraged to transfer funds if they have not already done so.
The SlowMist team came to a similar conclusion after being invited by Slope to analyze the exploit. The team also noted that the Sentry Slope Wallet service collected the user’s mnemonic phrase and private key and sent them to o7e.slope.finance. Again, SlowMist was unable to find any evidence to explain how the credentials were stolen.
Cryptooshala also reached out to Chainalysis, which confirmed it was conducting a blockchain analysis of the incident after sharing initial findings. online. The blockchain analysis firm also noted that the exploit mainly affected users who imported accounts to or from Slope.Finance.
While the incident absolves Solana of liability for the exploit, the situation highlighted the need for an audit of wallet providers’ services. SlowMist recommended that wallets be reviewed by multiple security companies before release and called for open source development to improve security.
Chen said some wallet providers have “flyed by” when it comes to security compared to decentralized applications. He hopes the incident will change user attitudes towards the relationship between wallets and verification by external security partners.
Credit : cointelegraph.com