The Day we advised Moving Funds to a Centralised Exchange

Here's how $4 Million worth of crypto was stolen from private wallets, and why it was advised to move funds to centralised exchanges.

Aug 4, 2022

Centralised exchanges have come a long way since crypto’s inception. Insurance funds, multi-layer security in storage, numerous ways to move funds securely, are just few of the advantages with exchanges like Binance, Huobi, Kucoin, WazirX, Bitbns and such. But the oldest saying goes “Not your keys, not your coins”, translating to Keep your crypto with you.

What happened with a private wallet for Solana called Slope, that sent tremors in the ecosystem? Why were thousands of private wallets like Phantom and Slope robbed of their crypto balances worth $4 Million? And why oh why, did people say, “Just move your funds to an exchange to be safe?”. Let us understand how non-custodian wallets made on people’s phones lost all their SOL and SPL tokens.

The Solana Wallet Hack that shook the Cryptoverse!

I exaggerate; the news around Solana wallets being emptied

didn’t really send shivers down the crypto ecosystem. In fact, to my surprise it was very well handled. The price of Sol dropped 3%. Just 3%. But it did shake up a few trees. Arguments began to flow around how are private wallets, the keys of which are with the users, being attacked?

Is it a permissions issue? Did the user give permission to smart contracts to remove funds?

Is it a supply chain issue? Did someone get access to the script that generates private keys for the most affected wallets like Phantom and Slope?

Has the Solana Blockchain been compromised?

Turns out it was neither of these. It had to do with a software that collects logs from Slope Wallet on phones. Yes. A third party software that Slope partnered with was the reason for people’s private keys being exposed to a hacker.

Solana Status @SolanaStatus

This exploit was isolated to one wallet on Solana, and hardware wallets used by Slope remain secure. While the details of exactly how this occurred are still under investigation, but private key information was inadvertently transmitted to an application monitoring service. 2/3

The Lack of Open Source Software

Before we understand how the breach actually happened, we have to understand the importance of Open Sourcing development of products built for what essentially is supposed to be Public Ledgers.

If only Slope had open sourced the code of their wallets, the vulnerability would have been discovered and patched in due time, before it could even affect anyone. This of course is a speculation but plenty of research shows how Open Sourcing the software is a net-net benefit to any organisation where community is a key metric

As Polygon’s Security Researcher Mudit Gupta points out, “Closed Source wallets are a slippery slop”. Hence, let us, you and I, both make a wow today, We will check if a wallet is open source, and only then install it on our systems”.

Mudit Gupta @Mudit__Gupta

Closed source wallets are a slippery slope

How were the Slope Wallets Compromised?

Our in-house tech expert called me up at 1:30 AM when I was fast asleep to tell me he knew exactly how Slope wallet keys were compromised and that he had replicated the issue on his own system. We discussed it in the morning as I wanted to break it down for you, my readers, in a simplified form. But of course if there is anything you want more clarification on, just drop a comment below and I will make sure we get it answered.

It begins with Slope wallet using a service called “Sentry”. Sentry

is a logging library. Essentially, sentry acts like an application monitor. When an app crashes or a user faces an error, sentry collects the data stored locally on the phone and sends it to the developer of the app. This helps the developers identify the root cause of the problem, or the frequency of a problem in certain environments and fix them.

With slop, this metadata also included wallet private key and seed phrase. At a certain point, Slope wallet was sending the user’s wallet private key and seed phrase to Sentry in plain text. THIS IS THE unHOLY GRAIL of logging errors.

The small mistake that Slope Devs made here is "not redacting the wallet information at certain stages.

While initially the assumption was that only iOS devices are affected, it also came to light that Android devices are vulnerable to the same loophole as well.

What is yet to be discovered is who took these private keys and decided to abuse the power? Did they not hear Uncle Ben say in multiple films, with great power comes great responsibility?

It could be anyone in the Slope team with access to Sentry logs or a hacker who managed to get access to Slope’s sentry account, says Smit Khakhkhar, Coin Crunch’s Tech co-founder and Delta Blockchain Fund’s Tech Diligence Advisor.

The Phantom wallets that were drained are also suspected to have been created by using the seed phrase of Slope wallets.

SMS aey.sol, 🇺🇸 @aeyakovenko

@laine_sa_ Attacker is lazy at driving all the paths. A bunch of phantom users only saw their slope addresses get drained. I would advise anyone that touched slope to regenerate their seed phrase in a different wallet asap.

As of this writing, Slope has removed the server-side logging. Around 1444 of the 9223 wallets are traced back to this vulnerability. While many media reports are claiming the total value of the hack being $8 Million, some expert estimates are at ~$4 Million

Move your funds to Centralised Exchanges

Before we begin, let us read what the boss of world’s largest crypto exchange by volume said on Twitter:

CZ 🔶 Binance @cz_binance

There is an active security incident on Solana. Many (7000+ and counting) wallets are drained of SOL & USDC. Don't know root cause yet. Maybe permissions granted to apps. For remediation, send the funds to a cold wallet or CEX like @binance.

foobar @0xfoobar

🚨 Widespread Solana private key compromise 🚨 - attacker is stealing both native tokens (SOL) and SPL tokens (USDC) - affecting wallets that have been inactive for >6 months - both Phantom & Slope wallets reportedly drained https://t.co/AkZXOGLD0Q

“Send the funds to a cold wallet or CEX like Binance”

It turned out to be the best advice when news of the hack broke. In theory, the hack is still in progress and the non-empty wallets made on Slope are still at risk. But it seemed like a safe idea to move funds to a centralised exchange as many people won’t have cold wallets or hardware wallets.

Even we at Coin Crunch advised people to do the same thing.

Centralised Exchanges, especially the larger ones have come a long way. Binance has a SAFU fund

which is valued at almost $1 Billion that is setup to compensate users in the event of a hack. So it makes sense to move funds to an exchange that you can trust.

However the recent market downturn sent many crypto platforms packings. Vauld, 3AC, Babel Finance are just some examples of many. So it is always advisable to walk with caution while dealing with Crypto exchanges and platforms.

Nevertheless the golden rule, “Not your keys, not your coins”, still holds true. Albeit we can change it to “Not your keys, not your coins, but do check that the software that generates keys is open source and battle tested”.

In other World

zbyte, a Web3 startup aiming to make it easy for enterprises to build decentralised applications has raised $10 Million from Private Investors. Read more.
Justin Sun Wants to Support an Ethereum Hard Fork that preserves PoW consensus. Read more.
Global coffee store franchise giant Starbucks is looking to launch a new Web3 rewards program to attract and retain customers. Read more on CoinTelegraph

Learn the Basics of Crypto Trading

In our 9 Episode series on learning the basics of trading, we bring you the step-by-step process of identifying and implementing trends and strategies. Check out the first episode below: