Slope Wallet Sentry Vulnerability — Digital Forensics and Incident Response Report

  • The Sentry vulnerability can be restricted in scope to only mobile application (APP) users and restricted in time to a window of 7 days (28th of July to 2nd of August 2022).
  • The following diagram describes the container setup for the Slope Wallet application:
  • The private keys of a total of 6,811 unique wallets (0.4% of the Slope user base on mobile) were found on the Sentry database. Out of these, only 1,444 belonged to the 9,229 affected Solana wallets (15%).
  • Data forensics have uncovered no evidence that the remaining 7,785 wallets drained during the hack were ever stored on the Sentry database.
  • There is no indication of any log deletion or manipulation taking place. All the Redis pulse messages show that the service was up throughout the entire period while Postgres and Clickhouse logs were paused due to a planned renewal of the analytics pipeline.
  • No additional logs were retrieved.
  • No evidence of malicious activity.
  • All SSH remote login procedures are analyzed, no abnormalities in the timeframe of the vulnerability.
  • No sign of man-in-the-middle attacks:
  • A Slope internal code audit was completed. No sign of any additional vulnerabilities was detected.
  • Investigation of any abnormal SSH requests before June 24th, 2022.
  • User interviews of potentially affected users that have never used Slope Wallet on a mobile device.
  • User interview of users drained by the attack, whose wallet pubkey does not appear in Slope Sentry entries.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Slope Finance

Slope Finance

Slope Wallet — your web3 navigator. For the curious! The easiest way to discover web3 applications from one secure place.