Blockchain audit firms are still trying to figure out how the hackers obtained the roughly 8,000 private keys used to drain Solana-based wallets.
The investigation is still ongoing after attackers successfully stole around $5 million worth of SOL and SPL tokens on August 3. Ecosystem players and security companies are helping to unravel the complexities of events.
Solana worked closely with Phantom and Slope.Finance, two SOL wallet providers whose user accounts were affected by the exploit. Since then, some of the compromised private keys have been directly related to Slope.
Blockchain auditing and security firms Otter Security and SlowMist assisted in the ongoing investigation and unraveled their findings in a direct correspondence with Cointelegraph.
Otter Security founder Robert Chen worked with Solana and Slope to share insights from first-hand access to affected resources. Chen confirmed that a subset of the affected wallets had private keys, which existed in clear text on Slope’s Sentry log server:
“The way it works is that the attacker somehow leaked these logs and was able to use it to compromise users. This is still an ongoing investigation and the current evidence doesn’t account for all the stolen accounts.”
Chen also told Cointelegraph that about 5,300 private keys that were not part of the exploit were found in the Sentry instance. Nearly half of these addresses still have tokens in them — urging users to move funds if they haven’t already.
The SlowMist team came to a similar conclusion after being invited by Slope to analyze the exploit. The team also noticed that Slope Wallet’s Sentry service collected users’ mnemonics and private keys and sent them to o7e.slope.finance. Once again, SlowMist could not find any evidence to explain how the credentials were stolen.
Cointelegraph also reached out to Chainalysis, which confirmed it was conducting a blockchain analysis of the incident after sharing preliminary findings onlineThe blockchain analysis firm also noted that the vulnerability primarily affected users who imported accounts to or from Slope.Finance.
While the incident exempted Solana from bearing the brunt of the attack, the situation highlighted the need for wallet provider auditing services. SlowMist recommends that the wallet should be audited by multiple security companies before release, and calls for open source development to improve security.
Some wallet providers are “overlooked” in terms of security compared to decentralized applications, Chen said. He would like to see the event turn user sentiment into the relationship between wallets and verification by external security partners.