IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Auditors blame massive $4 million cryptocurrency heist on leaky logging technology

Investigators raised concern over the thousands of vulnerable wallets containing Solana, USDC and other tokens

Blockchain auditors have suggested the reason behind a massive $4 million hack on several cryptocurrency wallet providers is due to a misconfiguration in a widely-used event-logging technology.

Cryptocurrency tokens Solana (SOL) and USD Coin (USDC) were among those stolen from Slope wallets by an unknown attacker, after the wallets were found to be leaking seedphrases in plaintext. 

Seedphrases are strings of randomly generated words used to recover cryptocurrency wallets. They are considered secure, and only the owners are supposed to know what these strings are.

Blockchain auditors Zellic and OtterSec both published the findings from their respective investigations, which are still ongoing, with both focused on the Slope wallet. They concluded the issue stemmed from a misconfiguration in Sentry.

Sentry is an event-logging platform used by many websites and mobile apps in the industry, including the Slope wallet for iOS and Android. Other wallets also affected include Phantom, Solflare, and TrustWallet.

Zellic said “any interaction in the app would trigger an event log. Unfortunately, Slope didn't configure Sentry to scrub sensitive info. Thus, [the seedphrases] were leaked to Sentry”.

Anyone with access to Sentry could access users’ private keys, OtterSec said, allowing them to recover wallets that don’t belong to them and transfer tokens to their own personal wallet.

Zellic’s analysis revealed Slope had only been using Sentry for one week before the breach was confirmed.

It also said it’s possible to scrub data that doesn’t need to be logged in Sentry via the platform’s software developer kit (SDK) or via server-side scrubbing.

Slope said many of the wallets belonging to its founders and staff were also drained in the attack.

OtterSec has been working with Slope since the attack began on Tuesday evening, with Slope providing logs to the auditor dating back to 28 July.

There is concern around a discrepancy between the wallet addresses confirmed to be affected by the hack and those that are present in Slope’s logs, OtterSec said.

“Approximately 1,400 of the addresses in the exploit were present in Sentry logs. Notably, this does not account for all the hacked addresses,” said OtterSec.

“Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them,” it added.

The findings suggest that there are thousands of additional wallets that contain cryptocurrency tokens and could currently be vulnerable to additional attacks from the still-unknown hacker.

Owners of a Slope wallet are strongly advised to transfer all tokens into a different method of storage as soon as possible, such as a hardware ledger or centralised exchange.

“We are actively conducting internal investigations and audits, working with top external security and audit groups,” said Slope in an official statement.

“We are working with developers, security experts, and protocols from throughout the ecosystem to work to identify and rectify [the situation].

“We are still actively diagnosing, and are committed to publishing a full post-mortem, earning back your trust, and making this as right as we can.”

As of Wednesday, more than 9,000 wallets had been drained, with the number increasing. 

Solana said it was conducting its own investigation into the incident, but “there is no evidence the Solana protocol or its cryptography was compromised”.

Numerous investigations from across the industry are still ongoing and more discoveries are likely to be revealed as these continue.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Should you take your password manager off the internet?

Should you take your password manager off the internet?

28 Jul 2022