8/2/2022 Slope Wallet Incident Update

by Solana Foundation

8/2/2022 Slope Wallet Incident Update

If you are a user of Slope, or have ever previously imported seed phrases into Slope, your wallet may be compromised. Please take the steps outlined in the Mitigation section.

Starting at 08-02-2022 22:37 UTC and continuing for ~4 hours, a malicious attacker or attackers drained 9,231 wallets of approximately $4.1 million worth of assets. On-chain transaction show that private keys for the affected wallets had been leaked or compromised, and were used to sign malicious transactions.

During an investigation by developers, analytics companies, and security auditors, it appears that affected addresses were at one point created, imported, or used in the Slope wallet applications on iOS and Android (created and published by Slope Finance). Private key material from these Slope users was inadvertently transmitted by the Slope app to an application monitoring service, but exactly how the hacker obtained or intercepted this information is still under investigation. No core code related to Solana Labs, the Solana Foundation, or anything related to Solana protocol itself was involved in this attack. This was not a protocol-level vulnerability.

This exploit appears isolated to one wallet provider that supports Solana and Ethereum addresses, but affected users on other software wallets (such as Phantom and Solflare) may have been the result of users’ reuse of seed phrases generated or stored within Slope. This is not currently believed to be an issue directly related to any specific wallet implementations other than Slope’s. Any impact to users with Ethereum wallets was likely also due to reuse of seed phrases as both Ethereum and Solana use BIP39 mnemonics.

Hardware wallets (used with or without Slope) have not been impacted, and any wallets generated from seed phrases that have never been imported into (or used by) Slope wallets have not been affected. However, all a user had to do to become vulnerable was import their seed phrase into the Slope app. If you believe there is even a chance you did this, please follow mitigation steps below.


Block production was not affected by this incident.

Mitigation

Slope Finance is continuing to work with developers, security experts, and protocols throughout the ecosystem – including with top external security and audit groups – to determine the full extent of the issue and how this information was retrieved by the attacker. The Slope Finance team has committed to publicly publishing a full post mortem on this incident (see Slope Finance's statement).

Anyone with information pertaining to this breach can reach out to Slope Finance at exploit@slope.group.

For any user inquiries or other assistance, please contact support@slope.group.

If you are a user of Slope, or have ever previously imported seed phrases into Slope, your wallet may be compromised, even if no assets have been transferred. 

  • Generate a new seed phrase in another wallet application.
  • Transfer all assets (tokens and NFTs) to this new wallet.
  • Abandon the old address, as it was potentially compromised.

Users should not reuse any wallets derived from seed phrases previously used with Slope’s mobile applications.