Analysis of large-scale theft of Solana

SlowMist
3 min readAug 4, 2022

--

Background overview

On August 3, 2022, A large-scale incident of currency theft occurred on Solana, and a large number of users transferred SOL and SPL tokens without their knowledge. The SlowMist security team tracked and analyzed this incident, checked from on-chain behaviour to off-chain applications one by one and make new progress.

The Slope wallet team invites the SlowMist security team to analyze and follow up, After continuous follow-up and analysis, the data provided by the Solana foundation shows that nearly 60% of the stolen users use the Phantom wallet, about 30% of the addresses use the Slope wallet, and the rest use the Trust wallet, etc., and both iOS and Android versions of the application are used. There are corresponding victims, so we began to focus on analyzing the possible risk points of wallet applications.

Analytical Process

When analyzing Slope Wallet(Android, Version: 2.2.2), we found that Slope Wallet(Android, Version: 2.2.2) uses sentry’s service, The sentry is a widely used service, sentry runs on “o7e. slope.finance”, The sentry’s service collecting sensitive data such as mnemonics and private keys from Slope Wallet and sent to “https://o7e.slope.finance/api/4/envelope/" when creating a wallet.

We continue to analyze Slope Wallet, we found that the sentry service in the package with Version: >=2.2.0 will collect the mnemonic and send the mnemonic to “o7e.slope.finance”, while Version: 2.1.3 not find any obvious behavior of collecting mnemonics or private keys.

Slope Wallet historical version download:
https://apkpure.com/cn/slope-wallet/com.wd.wallet/versions

Slope Wallet(Android, >= Version: 2.2.0) was released after 2022.06.24, so users who use Slope Wallet(Android, >= Version: 2.2.0) after 2022.06.24 are affected, but according to Some of the victims reported that they were never heard of Slope Wallet and did not use Slope Wallet.

Then according to the statistics of the Solana foundation, about 30% of the mnemonic of the victim’s address may be collected by the Slope Wallet (Version: >=2.2.0) sentry service and sent to the “https://o7e.slope. finance/api/4/envelope/”.

But another 60% of the stolen users were using Phantom Wallet. How did these victims get stolen? After analyzing the Phantom (Version: 22.07.11_65) wallet, it was found that Phantom (Android, Version: 22.07.11_65) also used the sentry service to collect user information, but did not find any obvious behavior of collecting mnemonics or private keys . (The security risk of the historical version of Phantom Wallet is still being analyzed by the SlowMist security team)

Some questions

The SlowMist security team is still collecting more information to analyze the reason why the other 60% of the stolen users were hacked. If you have any ideas, welcome to discuss together, and hope to contribute to the Solana ecosystem together. The following are some questions in the analysis process:

1. Is sentry’s service collecting user wallet mnemonics a common security issue?

2. Phantom uses the sentry service, will the Phantom wallet be affected?

3. What is the reason for the other 60% of stolen users being hacked?

Reference Information

Attacker addresses:
Htp9MGP8Tig923ZFY7Qf2zzbMUmYneFRAhSp7vSg4wxV
CEzN7mqP9xoxn2HdyW6fjEJ73t7qaX9Rp2zyS6hb3iEu
5WwBYgQG6BdErM2nNNyUmQXfcUnB68b6kesxBywh1J3n
GeEccGJ9BEzVbVor1njkBCCiqXJbXVeDHaXDCrBDbmuy

Victim address:

https://dune.com/awesome/solana-hack

Solana foundation statistics:

https://www.odaily.news/newsflash/294440

https://solanafoundation.typeform.com/to/Rxm8STIT?typeform-source=t.co

https://docs.google.com/spreadsheets/d/1hej7MnhI2T9IeyXpnESmMcIHwgxGucSGUxQ5FqHB9-8/edit#gid=1372125637 (Need to request access)

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.