Blockchain audit firms are still trying to figure out how hackers gained access to about 8,000 private keys used to drain Solana’s wallets.
Investigations are underway after attackers managed to steal $5 million worth of SOL and SPL tokens on August 3. Participants in the ecosystem and security companies help uncover the intricacies of the event.
Solana worked closely with Phantom and Slope.Finance, two SOL wallet providers that had user accounts affected by the vulnerability. It has since emerged that some of the hacked private keys were directly related to Slope.
Blockchain auditing and security firms Otter Security and SlowMist assisted in the ongoing investigation and deconstructed their findings in direct correspondence with Cointelegraph.
Robert Chen, founder of Otter Security, shared insights from direct access to impacted resources in collaboration with Solana and Slope. Chen confirmed that a subset of the affected wallets had private keys on Slope’s Sentry registry servers in plain text:
“The working theory is that the attacker somehow infiltrated these logs and was able to use this to hack users. This is still an ongoing investigation, and current evidence does not explain all compromised accounts.”
Chen also told Cointelegraph that about 5,300 private keys that were not part of the exploit were found in the Sentry instance. Nearly half of these addresses still contain tokens – with users urged to move money if they haven’t already.
The SlowMist team came to a similar conclusion after they were invited to analyze the Slope exploit. The team also noted that the Sentry service in Slope Wallet collected the user’s memorial and private key and sent them to o7e.slope.finance. Again, SlowMist couldn’t find any evidence explaining how to steal credentials.
Cointelegraph also reached out to Chainalysis, who confirmed that it was conducting a blockchain analysis regarding the incident after sharing the initial findings Online. The blockchain analysis firm also noted that the exploit mainly affected users who imported accounts to and from Slope.Finance.
While the incident absolves Solana from shouldering the brunt of the exploit, the situation has highlighted the need for audit services for wallet providers. SlowMist recommended that portfolios should be audited by several security companies prior to release and called for the development of open source to increase security.
Chen said that some wallet providers have “flew under the radar” when it comes to security compared to decentralized applications. He hopes to see the incident change how the user feels about the relationship between wallets and validation from external security partners.