Solana exploit related to imported Slope Finance wallets, private keys revealed

As initially reported by CryptoSlate early hours of Wednesday morning, a significant exploit has caused thousands of crypto wallets to be drained of funds. The initial report was released as the incident was ongoing; however, a follow-up article revealed more information regarding the connection to Slope FInance.

Information is finally coming to light as to the origin of the exploit. Slope issued a statement on Wednesday evening advising all wallet owners to move any funds in wallets imported into Slope. The warning expanded on the advice to state that it does “not recommend using the same seed phrase on this new wallet that you had on Slope.”

Phantom, another Solana wallet that many users were using when funds were drained, made a statement identifying “complications related to importing accounts to and from Slope Finance.”

1/ Phantom has reason to believe that the reported exploits are due to complications related to importing accounts to and from @slope_finance.

We are still actively working to identify whether there may have been other vulnerabilities that contributed to this incident. https://t.co/W5B19gbMJX

— Phantom (@phantom) August 3, 2022

The Solana Status Twitter account, run by the Solana Foundation, also issued a statement confirming the relationship to the Slope mobile wallet.

After an investigation by developers, ecosystem teams, and security auditors, it appears affected addresses were at one point created, imported, or used in Slope mobile wallet applications. 1/2

— Solana Status (@SolanaStatus) August 3, 2022

In the Twitter thread, the Solana Foundation revealed that “private key information was inadvertently transmitted to an application monitoring service.”

The silver lining in a tragic tale is that the issue does not appear to be a blockchain or seed generation issue. A flaw in the Solana blockchain’s cryptographic proofs could have devastating effects on the entire crypto ecosystem. However, this no longer seems to be on the cards, and the Solana Foundation affirmed that “there is no evidence the Solana protocol or its cryptography was compromised.”

In a screenshot of logs from Moon Rank NFT, Foobar highlighted the possible inclusion of private keys and mnemonic phrases within a Slope API call. While the POST request appears to have been sent over SSL encryption, the fact that a seed phrase is included is troubling. A possible cause would have been a man-in-the-middle attack where a malicious actor can listen to communications between two parties to steal sensitive information.

MITM logs from @MoonRankNFT show the mnemonic being passed to Slope servers over POST requests. Wallet name purely coincidental pic.twitter.com/qL9C49ipvV

— foobar (@0xfoobar) August 3, 2022

Somewhat worryingly, users still declare that they “never used Slope in [their] life,” yet their wallets were still drained. Users have also reported Trust Wallet accounts being drained of funds, but these accounts are limited.

The total value lost from the exploit is as yet unknown, but figures as high as $580M have been reported as the wallet ” has been flagged on SolScan as being involved in the exploit with a balance of $570M. However, most of these funds are from the EXIST token, which is not tracked on either CoinMarketCap or CoinGecko, so the liquid amount exploited is more likely less than $10 million.

Binance founder and CEO, CZ, has also now recommended all users who have used wallets on Slope Finance move funds to a fresh wallet or to Binance if you do not understand the words “private key or seed phrase.”

If you used a Slope wallet (for SOL) in the past, move your funds to a different wallet ASAP. Do not “import” the old wallet. Use a new private key or seed phrase. If you don’t know those words mean, send your SOL to @binance. The easy way. https://t.co/t1lYcgaX5z

— CZ 🔶 Binance (@cz_binance) August 3, 2022