The attack that drained $8 million from over 9,000 Solana wallets in August was not the biggest hack of that week.
The Solana exploit was unique because it resulted from insecure application code rather than smart contract code, with millions of dollars of assets going to one attacker.
These were valid transactions, which initially complicated researchers’ efforts and worried all Solana users.
But it soon became clear that only accounts which had interacted with Slope Wallet were affected.
Slope’s mobile app transmitted encrypted seed phrases from users’ devices to the company’s server.
Once received the seed phrases were stored in plaintext. The attacker breached a third-party monitoring service on Slope servers, giving them access to the seed phrases.
The attacker executed the valid transactions and drained funds from compromised wallets.
Other wallets which imported an externally-generated seed phrase into Slope were also affected. Slope wallet users were urged to transfer their holdings to a hardware wallet or centralized exchange, which were not vulnerable to the exploit.
While the funds are unlikely to be recovered, the crypto community did strike back.
A popular Solana influencer sent an NFT to the attacker’s wallet, which pointed to a hosted image and collected metadata requests, revealing the attacker’s public IP address.
CertiK conducted a preliminary penetration test of Slope wallet’s code in 2021, with no response from the Slope team. Pre-release auditing should be the default for all Web3 projects.
It’s not enough for code to be open-source, as vulnerabilities will quickly become public. To learn more about the Slope Wallet Exploit, visit CertiK.com/resources
