https://nitter.net/Zellic_io/status/15549361432206172161/ First, the following theories are considered very unlikely and entirely rejected:
- issues in Solana core
- issues in SPL token
- crypto issues (e.g. weak RNGs)
- widespread user devices compromise
- supply chain (compromised libraries)
2/ In the war room, we first hypothesized that wallets may be leaking mnemonics or private keys to Sentry.
After further investigation with the community, this is what we found:
3/ First, let's talk about Sentry.
Sentry is an event logging platform used for reporting errors in apps.
If a certain event occurs in the app, a request containing the details & environment is logged to the company's Sentry.
Many companies use Sentry on websites & mobile.
4/ The Slope Wallet for iOS and Android uses Sentry for event logging.
Any interaction in the app would trigger an event log.
Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, mnemonics were leaked to Sentry
s/o to @sniko_
for this screenshot:
https://pbs.twimg.com/media/FZQ-MU6VQAAHh0a?format=jpg&name=4096x40965/ However, Slope has been using Sentry for only 1 week now.
**Hypothetically**, an attacker *with access to Sentry* could go through event logs and steal the thousands of mnemonics leaked in the past week
Then drain thousands of wallets.
~
https://nitter.net/osec_io/status/1555087555351420928We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
-
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.
-
Slope has been very helpful in sharing data related to the hack. We received the database 4:45 PM UTC August 3rd and immediately began our investigation. The Sentry logs spanned between July 28th and August 3rd.
-
Approximately 1,400 of the addresses in the exploit were present in Sentry logs. Notably, this does not account for all the hacked addresses.
We are still investigating this discrepancy and possible other vectors.
-
Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them. If you used Slope, PLEASE MOVE YOUR FUNDS
my question is why are wallets backing up users recovery phrases in a log file? Yeah it got compromised somehow that's how hackers get those files but why in the first place is wallet doing this?
It is because Slope Wallet is a shitty wallet. The fact it's closed-source should be enough reason to stay away from those kinds of wallets.
And to be precise, the wallet does not back up the seed phrase into a log file, instead, it is undue diligence from their developer to not put enough effort to wholly comprehend what the freaking third-party software(Sentry) does into their app. As in result, users' funds are stolen.
Considering the two referenced Twitter accounts, which is a blockchain audit companies, does indeed indicate the main issue, an interesting take is this:
**Hypothetically**, an attacker *with access to Sentry* could go through event logs and steal the thousands of mnemonics leaked in the past week
User seed phrases are logged into the log file which is being sent into a centralized server
ownedmanaged by Slope. By that fact, who else could access and compromise the main issue of a leaked seed phrase?