The Slope Wallet team has promised a 10% bounty to the anonymous hacker who compromised several thousand Slope users’ wallets earlier this week. In return, Slope would like the hacker to return the other 90% of the stolen goods.
A Promise of Safety
In a statement on Friday, Slope called on the hackers to examine its bounty offer for the safe return of user funds. It offered a Solana address to which to send those funds, which is yet to receive any large transfers at writing time.
The offer is hardly a hopeless plea: Slope warned that it had already engaged blockchain intelligence firm TRM Labs on the matter. Such firms, much like Chainalysis, specialize in detecting patterns and movement of funds across the blockchain.
Slope also claimed to be in cooperation with law enforcement to investigate the hackers’ identities. However, it said its first priority remained seeing its user’s funds returned.
“We ask that the hacker return 90% of the stolen funds within 48 hours of 8:30 pm UTC on August 5th, 2022,” read the statement. “Upon receipt of these funds, we will not make additional efforts to investigate this matter, or pursue any legal action.”
Starting on Wednesday, hundreds of Solana users began reporting that their wallets had been drained of funds. Many had initially blamed the Solana protocol itself for the failure, but the Solana team quickly found that only Slope wallet users had been impacted.
How Did the Hack Occur?
Slope is a non-custodial wallet – implying that users’ funds should be safe from large-scale thefts, as seen with crypto exchanges. However, as blockchain auditor OtterSec investigated, Slope’s mobile/hot wallets contained a centralizing security vulnerability.
“Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server,” explained the auditor. “These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.”
As OtterSec explained, 1400 of the compromised addresses were identified in the Sentry logs. However, this does not account for all affected addresses.
The slope has recommended that even cold-storage users move their funds to another address as the problem is investigated. Cold storage refers to storing crypto at a blockchain address whose private keys are not connected to the internet. These are inherently more secure, but less convenient for transferring money.