Slope: No ‘conclusive evidence’ tying $4 million Solana hack to its own security flaw

Quick Take

  • Slope has acknowledged that it had a security flaw.
  • Yet it says there’s no conclusive evidence that this flaw caused the major Solana hack.

Slope Finance says there is no “conclusive evidence” tying the major Solana hack to the wallet's own security flaw, according to a statement by the Solana wallet provider on Thursday. It is still investigating the attack but said that auditors are nearing their conclusions.

Slope wallet users — and others — were victims of a malicious exploit earlier in August that led to the theft of over $4 million in solana (SOL) tokens from more than 9,000 addresses. Solana researchers traced the hack to a vulnerability in the Slope mobile wallets where seed phrases were stored in plain text.

Even though Slope acknowledged there was indeed a vulnerability, it remains skeptical that this was the cause of the hack.

According to Slope, while the security flaw did exist, the number of wallet addresses drained in the attack exceeded the number of Slope's compromised addresses. Plus it only found that 1,444 of its compromised addresses were drained, far fewer than the total number that were drained.

The Solana wallet provider also stated that, despite the vulnerability, access to the server — where the seed phrase information was stored in plain text — was protected by end-to-end encryption. This server also had an additional three-factor authentication protocol set up for granting access, the statement added.

Based on these reasons, Slope said, "there is no conclusive evidence from the auditors to link the Slope vulnerability to the exploit."

Slope said its investigations did not find any additional security issues. As such, the wallet provider says the latest patched version of the Slope wallet is safe for use. Slope did, however, decry the events of last week in its statement adding that the existence of the security flaw alone was enough to put user funds in danger.

“This is nowhere near the security standard that Slope set out to establish and maintain, and we are deeply regretful of these occurrences. Security is paramount to us, and our user base is everything. We should never have let this happen,” today’s announcement stated.

Following the hack, Slope offered a 10% bounty to the attackers if they returned the stolen funds.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.