Slope Finance is a community-driven full-stack platform that consists of the sectors of DEX, Wallet, and NFTs built on Solana.
What happened
On August 2, 2022 an attacker drained 9229 wallets of approximately $4.1M worth of assets.
On-chain data showed that the malicious transactions were signed correctly and, therefore, the private wallet keys had been leaked or compromised. Solana Foundation claimed that no core code or anything related to Solana protocol itself was involved in the attack; it was isolated to the Slope Wallet provider.
The Slope Finance team published an extensive incident report. Surprisingly, even after intensive code and server audits, it was still impossible to explain the exploit incident conclusively.
Exploit Details
It had been confirmed that the mobile version of Slope Wallet application was collecting sensitive information (i.e. private keys) and transmitting it (using HTTPS TLS encryption) to a third-party monitoring service Sentry, where it was stored un-encrypted in an access-secured central database. According to the report, the investigations showed that only 5,367 wallet private keys were stored in the database, and only 1,444 of them were actually drained by the attacker. There is no evidence that the remaining 7,785 wallets affected by the hack have ever been stored in the Sentry database. Furthermore, there was no evidence of any unwanted access to the server or that the transmission would be compromised to intercept the data.
Therefore, the investigations remain inconclusive with further actions from Slope Finance, such as interviews with potentially affected users that have never used Slope Wallet on a mobile device or those whose pubkey does not appear in Slope Sentry database. Any further results were not published at the time of this writing.
In simple words, we don’t really know what exactly happened. Unlike the Wormhole hack or the Mango exploit, where everything is clear in the aftermath, the Slope’s mystery remains unsolved. Slope keeps claiming that the problem was on the Sentry side where the sensitive data wasn’t property encrypted and protected.
References
