Blockchain analysis firms involved in the Solana exploit investigation reveal the latest developments as teams try to figure out how the private keys were stolen.
Blockchain audit firms are still trying to figure out how hackers gained access to the roughly 8,000 private keys used to drain Solana-based wallets.
The investigation continues after attackers managed to steal about $5 million worth of Solana (SOL) and Solana Program Library (SPL) tokens on Wednesday. Ecosystem participants and security firms help uncover the intricacies of the event.
Solana worked closely with Phantom and Slope.Finance, two Solana-based wallet providers whose accounts were affected by the exploits. It has since been revealed that some of the compromised private keys were directly related to Slope.
Blockchain audit and security firms Otter Security and SlowMist have assisted with ongoing investigations, publishing their findings in direct correspondence with Cointelegraph.
Robert Chen, Founder of Otter Security shared his thoughts on personal access to impacted resources in collaboration with Solana and Slope. Chen confirmed that a subset of the affected wallets had private keys present in plaintext on Slope Sentry’s registration servers:
“The working theory is that the attacker somehow filtered these logs and could use them to compromise users. This is still an ongoing investigation and the available evidence does not explain all compromised accounts.”
Chen also told Cointelegraph that around 5,300 private keys were found in the Sentry instance that were not part of the exploit. Almost half of these addresses still have tokens – users are strongly advised to transfer funds if they haven’t already done so.
The SlowMist team came to a similar conclusion after being invited by Slope to analyze the exploit. The team also found that the Sentry Slope Wallet service collected the user’s mnemonic phrase and private key and sent it to o7e.slope.finance. Again, SlowMist was unable to find any evidence to explain how the credentials were stolen.
Cointelegraph also reached out to Chainalysis, which confirmed it was conducting blockchain analysis of the incident after sharing initial results online. The blockchain analysis company also noted that the exploit mainly affected users importing accounts to or from Slope.Finance.
While the incident absolves Solana of liability for the exploit, the situation highlighted the need for an audit of wallet providers’ services. SlowMist recommended that wallets be vetted by multiple security companies before release, and called for open-source development to improve security.
Chen said that some wallet providers are “out of the picture” in terms of security compared to decentralized applications. He hopes the incident will change the way users think about the relationship between wallets and verification by third-party security partners.