Solana Wallet Slope Says no Evidence Linking Security Flaw to $4 Million Hack
Solana mobile wallet provider Slope Finance, said to be responsible for the recent multi-million dollar incident, has admitted to a security vulnerability while adding that there is no evidence linking the security flaw to the hack.
This is despite the fact that Solana Labs researchers have fingered the wallet provider’s security lapses as the cause of the over $4 million hack that occurred earlier in August.
Slope issued a statement on Thursday (August 11, 2022), revealing details of its own investigation into the matter. This was done in collaboration with cybercrime company TRM and auditors OtterSec and SlowMist.
According to Slope, there is “no conclusive evidence” linking the vulnerability in its system to the hack. Slope stated that only 1,444 of its wallet addresses were confirmed to be drained during the attack.
However, there are 9,232 affected wallet addresses, as stated in multiple reports about the hack and collated in this Dune Analytics dashboard.
Slope’s statement added that the security vulnerability was behind an encrypted server. Access to this server also required a three-factor authentication protocol. The wallet service did admit that such a vulnerability should not have existed in the first place.
Solana Labs researchers earlier pointed to a flaw in Slope’s security architecture. This flaw saw wallet seed phrases being stored in plain text. Seed phrases in crypto are mnemonic strings of 12 or 24 words that are generated when a user creates a wallet. This phrase is needed to access funds in the wallet.
“We found no additional vulnerabilities during the investigation and intense scrutiny by multiple parties,” Slope stated in today’s blog post, adding that “therefore, we believe the latest patched version of Slope Wallet is safe to use. The Slope team will continue to obtain regular audit reports and work with security professionals on a rolling basis.”
September 2, 2022