On 2nd of August, Solana owners reported that their funds were vanishing and by evening it became clear a hacker was draining millions from online wallets.
The cause of the hack is still under investigation and so is the extent of the damage, on 3rd August, the “Solana Status” Twitter account shared that the exploit seems to be tied to Slope wallets private key (or password) information for such wallets was inadvertently transmitted to an application monitoring service.
Security firms estimate that the hacker stole over $4.1 million worth of assets, including Solana’s native coin SOL, small number of non-fungible tokens (NFTs), and over 300 Solana-based tokens.
Over 9,230 Solana hot wallets were hacked in the attack that happened on 2nd of August, those hot wallets are Phantom, Slope, and Trust Wallet.
On 8th of August Solana status tweeted:
As always, hardware wallets are strongly encouraged for all blockchain users. Hardware wallets can remain secure even if the software wallet (or the entire computer) is compromised, since all verification occurs independently and the seed phrase never leaves the hardware wallet.
Day before yesterday Solana.com posted a blog called: 8/2/2022 Slope Wallet Incident Update.
If you are a user of Slope, or have ever previously imported seed phrases into Slope, your wallet may be compromised. Please take the steps outlined in the Mitigation section. During an investigation by developers, analytics companies, and security auditors, it appears that affected addresses were at one point created, imported, or used in the Slope wallet applications on iOS and Android (created and published by Slope Finance).
Private key material from these Slope users was inadvertently transmitted by the Slope app to an application monitoring service, but exactly how the hacker obtained or intercepted this information is still under investigation. No core code related to Solana Labs, the Solana Foundation, or anything related to Solana protocol itself was involved in this attack.
This was not a protocol-level vulnerability. However, all a user had to do to become vulnerable was import their seed phrase into the Slope app.
This is very good example that you can’t share your seed phrase with anyone, not even your hot wallet issuer, in this case Slope app.