Slope says no evidence linking security flaw to massive hack

Image: Shutterstock

Solana-based crypto wallet Slope has revealed details of its investigations into a multi-million dollar hack that occurred early this month, saying there was a vulnerability in its application monitoring service but “no conclusive evidence” showed this flaw had caused the hack.

The vulnerability existed in the Slope on-premise 3rd-party application monitoring service on Slope Wallets on mobile between July 28 and August 3. It inadvertently logged sensitive data in cases where the apps generated an error event, Slope said in an August 11 statement.

While admitting that the vulnerability put many assets in danger, Slope said there was no conclusive evidence to link it to the August 3 exploit – in which an estimated US$5 million worth of assets were drained from Solana wallets. 

Slope said that a total of 9,232 addresses were hacked, which was larger than the total number of addresses ever exposed from the flaw. Of the exposed addresses, 1,444 were confirmed to have been drained, it said.

The investigation was conducted in collaboration with auditors OtterSec and SlowMist and cybercrime firm TRM. Slope said the investigation was nearing its conclusion. 

Slope said that the independent auditors did not find additional security issues and that it would soon share more details on the asset recovery measures for the victims affected in the exploit.

Apart from Slope, several other wallet apps, including Phantom, have been reported to have been affected in the hack. According to blockchain monitoring service PeckShieldAlert, the exploit caused an estimated loss of US$8 million. 

Some observers earlier suggested that there might be a vulnerability in Phantom or the Solana system. On August 4, Solana Status said its preliminary findings showed the affected addresses were at one point created, imported or used in Slope mobile wallet applications.