Our cryptoassets are only as safe as the private keys associated with their address, which leads to a set of crypto security rules: save your seed (private keys in a word form), do not tell it anyone, don’t connect to unknown smart contracts, don’t get phished… The ultimate advice is to buy a hardware wallet (also called cold wallet ❄️ ) that will keep your private keys securely offline.
This week’s massive (and ongoing) hack of Solana wallets is a reminder of that last advice.
?? Since Tuesday, over $5 million worth of crypto have been drained from over 9’000 addresses that have at some point interacted with Slope wallet (even if a part of these addresses has since migrated to other wallets like Phantom or Trust). This hack was of no users’ fault, and while the Slope team is yet to come with an explanation, an independent blockchain audit firm OtterSec confirmed that the company had logged the wallets’ unencrypted seeds to a centralized server. As it is often the case with centralized storage, they have been hacked/leaked, endangering the funds of all its clients ?
If the allegations are true, this would be an extreme case of wallet developers’ malpractice, or even deceit (a company presenting its wallets as non-custodial and keeping plain-text seed phrases is a very curious situation). However, it may be that we’ll never really know the details of what has happened: unlike many wallets in the web3 space, Slope’s code is not open source, which means that external parties cannot examine it. It also means that users must trust it, and trust is the very notion that the blockchain is supposed to eliminate.
So far it is too early to get a clear explanation of the hack, but what is sure is that the funds that had their keys stored on cold (offline) wallets were safe. This was a textbook “Why we need cold wallets” situation, and thousands of Solana users had to learn it the hard way.