On August 2nd around 3pm PST, the Solana community suffered an unfortunate hacking incident. What started off as a few members affected, quickly expanded into a widespread exploit that compromised thousands of members’ wallets. On-chain data shows that the hacker continued stealing funds from 2022/08/02 15:00:00 to 2022/08/03 14:00:00 (PST) for a span of 23 hours.
According to SolScan, there were 4 addresses associated with the hacker. The hacker initiated 18,100 transfers and pocketed a total of $5.37 million from 10,630 wallets. Incident reports show that the top 5 compromised wallets each lost over $80,000 in the hack, with the highest compromised amount being $488,863.39 from a single wallet.
Initially, when news of the exploit broke out, there were several speculations floating around. Some hypothesized that it was a Solana network vulnerability, and some guessed it was a Phantom wallet issue. However, what was bizarre was that a few Ethereum users also had their ERC-20 tokens drained. Solana took a survey of affected users and found that 60% used Phantom and 40% used Slope. It was later concluded that all Phantom users had at one point imported their seed phrase to Slope.
One affected owner of the 4th most compromised wallet (BbKBQygTo1z453ATthSssKM5kq3Pzhmd5Sgn5NDyYgZ5) spoke to us about how he came to be affected: “I imported my Phantom seed phrase onto the Slope mobile app months ago to test out a dApp, as Phantom didn’t have mobile support at the time. While this was my only interaction with Slope, it was sufficient for the hacker to exploit it. I’m so upset and really regret storing that much money in my hot wallet. Then again, I never expected something like this to happen.”
Slope had a bug in their code which caused them to dump logs to Sentry (an error monitoring system) which included wallet seed phrases. These logs were stored on Sentry servers in plaintext. The duration of the attack suggests that it was a manual process, meaning the hacker entered seed phrases one by one to access user funds. A script would have drained wallets in a shorter amount of time. (Reference: https://twitter.com/osec_io/status/1555087560887922688?s=20&t=DaUoHltpgZxCKTah2bZU2A)
Traditional wallets like Slope are prone to a single point of failure, such as a seed phrase being leaked. One way to avoid these hacks is using cold storage (hardware wallets). Another alternative is by using a multisignature signing scheme like Cashmere. In a multisig signing scheme, several wallets need to “approve” a transaction before the funds move. This removes a single point of failure, resulting in a safer solution.
Cashmere’s co-founder Charlotte echos: “Crypto began as a space of highly technical people who are comfortable with encryption and hardware wallets. However, as it’s gained more mainstream adoption, we’re seeing a hugely unmet need for secure solutions for less technical people. Many of the popular browser extension wallets today have a great UX, but they leave people vulnerable to a single point of failure. With Cashmere, we’re building solutions so that people of all technical backgrounds can self-custody their funds in a secure and user-friendly way.”
