Slope Wallet Likely Caused Solana Exploit, Hacken CEO Comments
- Solana’s Twitter account blamed the Slope wallet software
- The hack is further evidence that online asset storage is in danger
It has been confirmed that the wallets affected in the Solana hack were either used or created in Slope mobile wallet apps. Solana’s Twitter account blamed the wallet software and not its own code for the exploit.
Slope developers stated that "a wallet cohort" had been compromised, but didn’t confirm whether there was involvement of private key storage practices. A Slope representative told CoinDesk, "we are not storing any personal data on centralized servers."
Below is a comment on the Solana hack by Hacken CEO Dmytro Budorin, exclusively shared with Bankless Times.
Online asset storage is in danger
The hack of Solana ecosystem hot wallets is yet another piece of evidence that online asset storage is in danger. With wallets like Phantom, Slope, and TrustWallet being hacked, it is clear that this is a wide-scale attack.
So far, we know about 8,000 victims who lost $6 million. While investigations into the attack didn’t find the exact cause, we are dealing with a wallet vulnerability that leaks private keys, not a smart contract vulnerability or a Solana blockchain attack.
Several suggestions regarding bugs in digital signature algorithms, supply chain attacks, and vulnerable code library dependencies have been made.
Cold wallets were unaffected
The hack didn’t target a single wallet provider or OS (mobile, desktop, iOS, android). Cold wallets seem to be unaffected. SOL and SPL transfers were signed by the fund owners, meaning something has resulted in mass compromise of private keys.
Wallets that had been inactive for 6 months suffered the most, indicating that the attacker wanted to fly under the radar and maximize the grab. The attacker must have compromised a third party that ceded permissions to sign off on mass transactions.
Budorin's prediction manifests
When analyzing the Wormhole incident in February, I warned that it was just a matter of time before other big non-Ethereum protocols experienced severe attacks. As we see, the time has come.
While this exploit model is very common, projects can predict and protect their users from such attacks.
Budorin concludes this will require a very innovative predictive tool that can be embedded into projects. He believes developers can also find a way to address the inconvenience of storing assets in a cold wallet and using them for transactions on dApps.