Engineers Find Slope Wallet Bug Behind $6M Solana-based Hack

Following an intense 24-hour period, security researchers and Solana Labs engineers have linked the recent hack of specific Solana-based wallets to a critical bug in one wallet service provider. Slope Finance developers mistakenly shipped a code that allowed user-generated seedphrases to be transferred to a malicious actor in plain text. 

The hack had targeted private keys associated with the Solana ecosystem, with breached wallets automatically signing transactions without user authorization. The hackers transferred users’ SOL and USDC assets.

Although certain users of other wallets such as Phantom, Trust Wallet, and Solflare were also affected, the findings suggested that this category of users had either created or passed their seedphrase through Slope Finance at some point.

Solana’s team clarified that the attack did not impact the underlying network, as it remained fully functional throughout the incident. An estimated 7950 wallets were drained, netting the hacker(s) approximately $6 million in illicit profit.

Web3 Security Risks Persist

The latest Solana wallet news hack comes less than 24 hours after hackers drained cross-chain protocol Nomad Bridge of nearly $200 million. Industry observers agree that the prevalence of these security risks undermines public interest in the Web3 experiment and could potentially dampen investor appetite. However, these incidents provide an opportunity for the industry to address such security risks on the path to mainstream adoption.

For instance,  the Solana Slope wallet hack has been strongly linked to the closed-source nature of the project’s codebase. Such incidents are avoidable if Web3 projects commit to open-source development. Meanwhile, users can also add a strong layer of security by using secure hardware wallets that store private keys offline.