- Slope Wallet users’ seed phrases were kept in plain text on a server, it has been revealed
- Blockchain auditors Ottersec found that 15% of the wallets were hacked when this flaw was exploited
- Slope’s mobile app sent mnemonics to their centralised Sentry server via TLS
Blockchain auditing firm Ottersec has claimed that seed phrases for Slope wallets were stored in plain text on the project’s Sentry server, leaving them vulnerable to attack. Slope says that 9,223 unique wallets were targeted with just over $4 million worth of tokens stolen, although the vulnerability in question only impacted 1,444 of those wallets, with the attack vector for the others unclear. The seed phrases were sent automatically to the server via TLS and were kept in plain text on the server.
Unencrypted Seed Phrases Account for 15% of Victims
The exploit made headline news on Wednesday, with Slope Wallet quickly identified as the source. Little was known until late yesterday when Ottersec, which has been working with Slope and Solana to identify the method used to empty the wallets of SOL and USDC (through SLP tokens), said it had found that all seed phrases were sent unencrypted to a Sentry server:
We have independently confirmed that Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys. pic.twitter.com/PkCFTeQgOP
— OtterSec (@osec_io) August 4, 2022
Slope and Ottersec announced on Twitter that they were still trying to work out how the other wallets were hacked, and that they were working with “relevant law enforcement agencies…in order to proceed with criminal investigations against the attackers”. This is either a bluff or suggests that they somehow have information about the hackers, which is less likely.
Near Protocol Patched Similar Flaw in June
In the wake of the hack, Near protocol has come forward to say that it too encountered a “potentially serious” security issue connected to the use of “common analytics tools in Web3”, which saw sensitive information shared with a third party. The issue was fixed the same day and saw Near decide to prevent users from creating accounts using email or SMS for account recovery, thus cutting off the risk.
The confirmation that Slope has unencrypted seed phrases sitting on a central server is an unbelievable oversight, and goes completely against the idea of a decentralised service. It also reinforces the suggestion that you shouldn’t leave all your funds in a ‘hot’ wallet, but should keep the bulk offline.