Blockchain auditors have suggested the reason behind a massive $4 million hack on several cryptocurrency wallet providers is due to a misconfiguration in a widely-used event-logging technology.
Cryptocurrency tokens Solana (SOL) and USD Coin (USDC) were among those stolen from Slope wallets by an unknown attacker, after the wallets were found to be leaking seedphrases in plaintext.
Seedphrases are strings of randomly generated words used to recover cryptocurrency wallets. They are considered secure, and only the owners are supposed to know what these strings are.
Blockchain auditors Zellic and OtterSec both published the findings from their respective investigations, which are still ongoing, with both focused on the Slope wallet. They concluded the issue stemmed from a misconfiguration in Sentry.
Sentry is an event-logging platform used by many websites and mobile apps in the industry, including the Slope wallet for iOS and Android. Other wallets also affected include Phantom, Solflare, and TrustWallet.
Zellic said “any interaction in the app would trigger an event log. Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, [the seedphrases] were leaked to Sentry”.
Anyone with access to Sentry could access users’ private keys, OtterSec said, allowing them to recover wallets that don’t belong to them and transfer tokens to their own personal wallet.
Zellic’s analysis revealed Slope had only been using Sentry for one week before the breach was confirmed.
It also said it’s possible to scrub data that doesn’t need to be logged in Sentry via the platform’s software developer kit (SDK) or via server-side scrubbing.
Slope said many of the wallets belonging to its founders and staff were also drained in the attack.
OtterSec has been working with Slope since the attack began on Tuesday evening, with Slope providing logs to the auditor dating back to 28 July.
There is concern around a discrepancy between the wallet addresses confirmed to be affected by the hack and those that are present in Slope’s logs, OtterSec said.
“Approximately 1,400 of the addresses in the exploit were present in Sentry logs. Notably, this does not account for all the hacked addresses,” said OtterSec.
“Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them,” it added.
The findings suggest that there are thousands of additional wallets that contain cryptocurrency tokens and could currently be vulnerable to additional attacks from the still-unknown hacker.
Owners of a Slope wallet are strongly advised to transfer all tokens into a different method of storage as soon as possible, such as a hardware ledger or centralised exchange.
“We are actively conducting internal investigations and audits, working with top external security and audit groups,” said Slope in an official statement.
“We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify [the situation].
“We are still actively diagnosing, and are committed to publishing a full post-mortem, earning back your trust, and making this as right as we can.”
As of Wednesday, more than 9,000 wallets had been drained, with the number increasing.
Solana said it was conducting its own investigation into the incident, but “there is no evidence the Solana protocol or its cryptography was compromised”.
Numerous investigations from across the industry are still ongoing and more discoveries are likely to be revealed as these continue.
