Slope Wallet Solana Hack
On August 2nd, 2022, roughly 9,321 Solana wallets appear to have been drained of their cryptocurrency. While the parties investigating this attack have yet to release a root cause, there is a lot of speculation floating around, including about Sentry.
There is no indication that Sentry’s SaaS product or infrastructure was involved in this attack.
There is no indication that Sentry’s self-hosted, open source product was compromised by a vulnerability in the software.
Background
Sentry is a platform that helps every developer diagnose, fix, and optimize the performance of their code. A large part of this is accomplished using data sent from applications using a Sentry library, to the Sentry backend. This backend can either be the SaaS product, hosted at sentry.io, or self-hosted on one’s own servers using our open source project.
As with any system that accepts and stores data, it is possible to end up with sensitive information accidentally sent, stored, and/or processed. At Sentry, we work to help prevent this by setting sane defaults, client side scrubbing, server side scrubbing, and allowing for data deletion.
What we know
- 9,231 Solana wallets were drained of funds, starting at 22:37 UTC on 2 August 2022. The attack continued for four hours.
- Analysis shows private keys were used to sign these transactions, indicating that private keys may have been compromised.
- Investigations indicate that affected addresses were at one point created/imported/used by the Slope wallet applications on iOS or Android.
- These wallet applications appear to have transmitted private key material to a host, o7e[.]slope[.]finance. Based on the hostname the Sentry SDK was pointed to, we believe Slope was running the self-hosted, open source version of Sentry.
- Historical DNS entries for o7e[.]slope[.]finance indicate this pointed to 47[.]242[.]200[.]195. This IP is a host in Alibaba Cloud, located in Hong Kong.
- Sentry does not run servers in Hong Kong, nor do we run servers in Alibaba Cloud.
What We’re Doing
While we can’t completely prevent sensitive information from being sent to us, we can help prevent some of the more common cases that may result in sensitive information being sent and stored. Once disclosed, we acted immediately to prevent future instances of “privatekey” or “private_key” from being stored. Additionally, we are going to investigate other common dataforms, such as BIP39, that may be easily scrubbed from data sent to Sentry.
At this point in time, we are conducting our own investigation using Sentry’s data, as well as publicly available information, as we have not spoken to the Slope team directly. In the meantime, if there are easily identifiable and verifiable patterns which would be helpful to scrub, drop us a line in a GitHub Issue.