Experts find private keys on Slope servers, still puzzled over access

Blockchain auditing firms are still trying to figure out how hackers gained access to about 8,000 private keys used to drain Solana-based wallets. 

Investigations are ongoing after attackers managed to steal some $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens on Wednesday. Ecosystem participants and security firms are assisting in uncovering the intricacies of the event.

Solana has worked closely with Phantom and Slope.Finance, the two Solana-based wallet providers that had user accounts affected by the exploits. It has since emerged that some of the private keys that were compromised were directly tied to Slope.

Blockchain audit and security firms Otter Security and SlowMist assisted in ongoing investigations and unpacked their findings in direct correspondence with Cointelegraph.

Otter Security founder Robert Chen shared insights from first-hand access to affected resources in collaboration with Solana and Slope. Chen confirmed that a subset of affected wallets had private keys that were present on Slope’s Sentry logging servers in plaintext:

“The working theory is that an attacker somehow exfiltrated these logs and were able to use this to compromise the users. This is still an ongoing investigation, and current evidence does not explain all of the compromised accounts.”

Chen also told Cointelegraph that some 5,300 private keys that were not a part of the exploit were found in the Sentry instance. Nearly half of these addresses still have tokens in them — with users urged to move funds if they have not done so already.

The SlowMist team came to a similar conclusion after being invited to analyze the exploit by Slope. The team also noted that the Sentry service of Slope Wallet collected the user’s mnemonic phrase and private key and sent it to o7e.slope.finance. Once again, SlowMist could not find any evidence explaining how the credentials were stolen.

Cointelegraph also reached out to Chainalysis, which confirmed that it was carrying out blockchain analysis on the incident after sharing initial findings online. The blockchain analysis firm also noted that the exploit mainly affected users that had imported accounts to or from Slope.Finance.

While the incident absolves Solana from bearing the brunt of the exploit, the situation has highlighted the need for auditing services of wallet providers. SlowMist recommended that wallets should be audited by multiple security companies before release and called for open source development to increase security.

Chen said that some wallet providers had “flown under the radar” when it came to security when compared to decentralized applications. He hopes to see the incident shift user sentiment toward the relationship between wallets and validation from external security partners.