Solana Scares & Wallet Worries

With some 8,000 wallets compromised in the immediate aftermath, it wasn’t clear where to place the blame and quickly became a source of panic across Solana’s ecosystem.

While it isn’t even close to the largest hack in recent memory (I’m looking at you, Nomad), I’m going to wager that you probably heard about the widespread draining of wallets on Solana that happened recently.

Some 8,000 wallets were compromised, and in the immediate aftermath it wasn’t quite clear where to place the blame. With users of Phantom, Solflare, Slope, Trustwallet, and others all declaring that their funds had been drained, it quickly became a source of panic for folks across Solana’s ecosystem.

The issue actually comes down to Slope wallet & their gross incompetence in wallet security, as detailed by both Zellic and Otter Sec, linked here so you can give them a follow to stay abreast of the latest hacks & exploit post-mortems.

Per Zellic’s breakdown, Sentry is a platform for logging events & errors, often used to help track application exceptions. When an event occurs, a request containing the details & environment is logged in the company’s Sentry.



The Slope wallet for ios and Android started using Sentry roughly a week before the ‘hacks’ occurred, but unfortunately they didn’t configure Slope to scrub sensitive info (like mnemonic phrases) from Sentry, so it was all stored in plaintext, free for the taking if you had access to the Sentry logs.



I would caution that according to Otter Sec, the leak only accounts for 1,400 addresses out of the 9,214 total, or roughly 15% of the total wallets compromised. I’d hate to speculate, but in the wake of the hack, Near Protocol disclosed that they’d found a similar vulnerability in their wallet.

According to Near, they were careful to scrub & sanitize the data being sent to a “third-party service” (presumably Sentry), but a recent code change exposed the data of users who had utilized email or SMS recovery in their wallets.




As a result, Near is removing email & SMS as options for account recovery, despite no clear evidence of a compromise from their leak. They’re additionally cautioning users to create new wallets, just in case.

Again, I would hate to speculate, but it doesn’t seem beyond belief that other wallets might be exposed due to third-party data logging or code changes.


SO. What do we, personally, do?

Best Practices

Now, when this all went down, I heard so many smart folks in crypto screaming that the solution was HARDWARE WALLETS. I disagree, for so many reasons.



First, with hardware wallets you have to remind users to only order directly from the manufacturer, as those sold on secondary markets likely already have their seed phrases compromised.




Second, cost & shipping time. If a user didn’t already have a hardware wallet laying around, how does this help them? Also, my personal opinion is that if you need a three figure piece of hardware in order to make crypto secure & functional, then we’ve already failed.




Third, the hardware wallet manufacturers themselves are a risk, not necessarily to your funds, but to your data, with an initially reported  270,000 crypto wallet buyers’ data (eventually some 1.25m+) being exposed due to negligence by Ledger.

Quoting Ledger CEO Pascal Gauthier, “It’s a wrong API key that got coded on the map client to import the database from the store that got coded in the wrong placements and so, therefore, was coded where it should not have been coded and exposed the database to a simple attack”.




Another simple mistake, but having your data exposed & connected to the purchase of a hardware wallet raises so many concerns re: physical attacks, scareware, et all. It wasn’t so very long ago that we were seeing crypto holders’ families held at gunpoint until they transferred funds.



Personally, I lean more towards personal responsibility. Here’s a few quick tips on limiting risk:

• Segregate funds. Do not risk more than 10% of your total portfolio in any wallet, exchange, protocol, or bridge. Store mnemonics & passwords separately, and avoid crossover between devices when possible.
  
• Create new wallet accounts regularly, and don’t reuse them so often. Did you know that in the early days, the constant caution was to use a new address every time?
  
  If you think about users of wallets other than Slope, I wonder how many recovered an account generated on Slope to another wallet, like Phantom? Don’t do this. Just create a new account on Phantom, and transfer funds.
  
• Be very careful before using new wallets, or those from untested developers. In the end, this still might not be enough, as code changes & unknowns are often spotted by hackers, both whitehat & gray/blackhat, long before they’re spotted by the teams themselves. This, again, is why you need to limit risk to any single vector.
  
• Do consider cold storage as a possible solution, however you approach it. I’ve gone over some inventive methods in recent articles, but as with my primary caution re: hardware wallets, do not think it is a total security solution for 100% of your assets. Partition. Segregate. Limit exposure. Limit risk. This is the mantra.

I feel like a broken record, but maybe next week there won’t be yet another hack or leak to write about, and I won’t have to say it…



But probably not.



So, as always: Research more. Trust less.