Blockchain audit firms are still trying to figure out how hackers gained access to about 8,000 private keys used to empty Solana-based wallets.
Investigations are ongoing after attackers managed to steal approximately $5 million worth of SOL and SPL tokens on August 3. Ecosystem participants and security companies help uncover the intricacies of the event.
Solana has worked closely with Phantom and Slope.Finance, the two SOL wallet providers whose user accounts were affected by the exploits. It has since been revealed that some of the compromised private keys were directly related to Slope.
Blockchain audit and security firms Otter Security and SlowMist assisted with ongoing investigations and explained their findings in direct correspondence with TBEN.
Otter Security founder Robert Chen, in partnership with Solana and Slope, shared first-hand insights into affected resources. Chen confirmed that a subset of affected wallets had private keys present in plain text on Slope’s Sentry log servers:
“The working theory is that an attacker somehow exfiltrated these logs and used them to compromise users. This is still an ongoing investigation and the current evidence does not explain all compromised accounts.”
Chen also told TBEN that some 5,300 private keys were found in the Sentry instance that were not part of the exploit. Nearly half of these addresses still contain tokens – urging users to transfer money if they haven’t already.
The SlowMist team came to a similar conclusion after being invited by Slope to analyze the exploit. The team also noted that Slope Wallet’s Sentry service collected the user’s mnemonic and private key and sent them to o7e.slope.finance. Again, SlowMist was unable to find any evidence explaining how the credentials were stolen.
TBEN also contacted Chainalysis, who confirmed it was conducting blockchain analysis of the incident after sharing initial findings. online. The blockchain analytics firm also noted that the exploit mostly affected users who had imported accounts to or from Slope.Finance.
While the incident keeps Solana from bearing the brunt of the exploit, the situation has made it clear that there is a need for audit services from wallet providers. SlowMist advised that wallets should be vetted by multiple security companies before release and called for open source development to increase security.
Chen said some wallet providers “have flown under the radar” when it comes to security compared to decentralized applications. He hopes the incident shifts user sentiment toward the relationship between wallets and validation by third-party security partners.