The newest steps in the Solana exploit investigation are being unpacked by blockchain analysis companies as teams work to determine how private keys were taken.
About 8,000 private keys used to deplete Solana-based wallets were obtained by hackers, and blockchain auditing companies are still trying to determine how they did it.
Investigations are still going on after thieves managed to take SOL and SPL tokens worth about $5 million on August 3. Participants in the ecosystem and security companies are helping to unravel the details of the incident.
The two SOL wallet providers, Phantom and Slope.Finance, whose users’ accounts were impacted by the attacks, has collaborated extensively with Solana. Since then, it has come to light that some of the compromised private keys were directly connected to Slope.
Otter Security, SlowMist, and other blockchain audit and security companies provided support for ongoing investigations.
Robert Chen, the creator of Otter Security, collaborated with Solana and Slope to share insights gained from personal access to the affected resources. Chen stated that some compromised wallets contained private keys that were stored in plaintext on Slope’s Sentry logging servers:
“The working theory is that an attacker somehow exfiltrated these logs and were able to use this to compromise the users. This is still an ongoing investigation, and current evidence does not explain all of the compromised accounts.”
Approximately 5,300 private keys that weren’t used in the hack were discovered in the Sentry instance, according to Chen. Users are recommended to relocate money if they haven’t already as over half of these addresses still contain tokens.
After being asked by Slope to examine the exploit, the SlowMist team reached a similar conclusion. The team also observed that the user’s private key and mnemonic phrase were gathered by Slope Wallet’s Sentry service and transferred to o7e.slope.finance. Once more, SlowMist was unable to locate any proof demonstrating how the credentials were obtained.
After posting its preliminary findings online, Chainalysis verified that it was conducting a blockchain investigation of the occurrence. The blockchain analysis company also pointed out that individuals who have imported accounts to or from Slope.Finance were most impacted by the exploit.
While the incident exonerates Solana from taking the most hit from the exploit, it has brought attention to the necessity of wallet providers’ auditing services. Before being released, wallets should be subjected to several security company audits, according to SlowMist, who also urged for open source development to boost security.
Compared to decentralized applications, Chen claimed that certain wallet providers have “flown under the radar” in terms of security. He wants to see a change in user perception of the connection between wallets and validation from outside security partners as a result of the incident.