4th August 2022 > > Slope hot wallet.
tl;dr
Hot wallet Slope has a core vulnerability.
Market Snap
Market Wrap
MicroStrategy stock jumped over 12% following news of Michael Saylor’s step up being Executive Chairman. Much more of that and the massive overhang of shorts will be nervously eyeing levels for when their compatriots might be getting close to stop-loss levels.
Curious Cryptos’ Commentary – Slope wallet attack
Over the last couple of days there have been reports that many thousands of Solana wallets have been drained of funds since Tuesday night. Solana is a Layer 1 blockchain whose native token is SOL.
The wallets affected were hot wallets Slope and Phantom with around 9,000 of them in total now having been compromised. As a quick reminder, hot wallets are online wallet applications (PC, Mac, mobile etc) that interact directly with other crypto applications, decentralised or otherwise.
The coins stolen were SOL, USDC, and other Solana-based coins to a total value of an estimated $7mm to the following four wallets:
Initial thoughts centred on there being a bug in the Solana code, which given a market cap of SOL as $14bn could have proved to be a huge problem. However, investigations quickly focussed on potential problems with the two hot wallets themselves.
It is now believed that the Slope mobile wallet application (which had been used by some Phantom wallet holders to create private seeds that were later imported into Phantom) is the source of the vulnerability. As explained on the Solana twitter feed:
“After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications.”
Twitter user Zellic explains this theory in more detail:
“3/ First, let's talk about Sentry. Sentry is an event logging platform used for reporting errors in apps. If a certain event occurs in the app, a request containing the details & environment is logged to the company's Sentry. Many companies use Sentry on websites & mobile.
“4/ The Slope Wallet for iOS and Android uses Sentry for event logging. Any interaction in the app would trigger an event log. Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, mnemonics were leaked to Sentry”
Remarkably he then provides this (unaudited) screen shot:
What this appears to show is that when users of Slope set up their wallets initially, the seed phrase used to generate the private key for that wallet was transmitted to the servers at Slope and stored there on a centralised database as plain text.
If this explanation - which is gaining ground and credibility - is true, this is quite an extraordinary vulnerability. An attacker who gained access to Slope’s servers had access to many thousands of private keys and has used those private keys to drain wallets of their funds.
…
If you are a user of either a Slope wallet, or a private key generated by Slope and imported into another wallet, you must move your funds to a new wallet with a seed phrase generated by any source other than Slope.
You must do it now.
…
Meanwhile, this is another salutary lesson in keeping your crypto funds safe.
The Curious Cryptos’ Training Course (https://www.curiouscryptos.com/cccourses) explains all the different types of wallets and their benefits and drawbacks.
It also describes how to set up and use our favoured option, a Ledger Nano cold wallet.
I understand that hot wallets make interaction in the crypto space relatively quick and easy, and this makes for an attractive proposition. I do not use them on a stand-alone basis because of potential problems like the one we see above.
As a bare minimum, you should have 90% of your crypto funds stored on your Ledger Nano. Buy one today directly from Ledger or from Amazon. You should also use your Ledger in conjunction with MetaMask to interact with any decentralised finance (DeFi) application.
If you have any problems or questions about setting up and using Ledger Nano, the CCC team is ready and willing to help you.
…
An alternative is to store your crypto funds on a well-recognised centralised exchange such as Binance or Coinbase, both of which have insurance against fraud and theft.
In theory this is fine, but insurance litigation is always a very lengthy and costly process – large scale theft from either of those exchanges will take years to settle, which is not an ideal scenario if you wish to manage your crypto holdings in any shorter time frame.
There is also the issue that if the exchange on which you store your funds is declared bankrupt, at best you will rank as an unsecured creditor. Again, any recovery value will not be paid to you for years to come.
Recent Posts
See Alltl;dr What with all the excitement of nearly breaching $90k, let’s step back a little from the micro, and look at a couple of macro...
tl;dr Five new ATHs in five days is not a bad run. A key piece of advice to take note of if you decide to realise some early profits from...
tl;dr Does another new ATH suggest an imminent Banana Zone? Resident techie Larry provides his insights for the CC community. Market Snap...
Comments