Slow Mist: Analysis of Large-scale Coin Theft on Solana Public Chain

On August 3, 2022, a large-scale incident of currency theft occurred on the Solana public chain, and a large number of users were transferred SOL and SPL tokens without knowing it. The SlowMist security team tracked and analyzed this incident, from the chain Behaviors are checked one by one for off-chain applications, and new progress has been made.

The Slope wallet team invited the SlowMist security team to analyze and follow up together. After continuous follow-up and analysis, the data provided by the Solana foundation shows that nearly 60% of the stolen users use the Phantom wallet, about 30% of the addresses use the Slope wallet, and the rest use Trust Wallet, etc., and both iOS and Android versions of the application have corresponding victims, so we began to focus on analyzing the possible risk points of wallet applications.

Analysis process

When analyzing Slope Wallet (Android, Version: 2.2.2), it is found that Slope Wallet (Android, Version: 2.2.2) uses Sentry’s service, Sentry is a widely used service, and Sentry runs on o7e.slope. Under the finance domain name, sensitive data such as mnemonics and private keys will be sent to when the wallet is created.

Slow Mist: Analysis of Large-scale Coin Theft on Solana Public Chain

Continuing to analyze the Slope Wallet, we found that the Sentry service in the package with Version: >=2.2.0 will send the mnemonic to “”, while Version: 2.1.3 did not find the behavior of collecting the mnemonic.

Slope Wallet historical version download:

Slope Wallet (Android, >= Version: 2.2.0) was released on 2022.06.24 and later, so users who use Slope Wallet (Android, >= Version: 2.2.0) on 2022.06.24 and later are affected, However, according to the feedback of some victims, Slope Wallet is not known, and Slope Wallet is not used.

Slow Mist: Analysis of Large-scale Coin Theft on Solana Public Chain

Then according to the statistics of the Solana foundation, about 30% of the mnemonic of the victim’s address may be collected and sent to the of Slope Wallet by the service of Slope Wallet (Version: >=2.2.0). /api/4/envelope/ on the server.

But another 60% of the stolen users were using Phantom wallets. How did these victims get stolen?

After analyzing the wallet of Phantom (Version: 22.07.11_65), it was found that Phantom (Android, Version: 22.07.11_65) also used the Sentry service to collect user information, but no obvious behavior of collecting mnemonic words or private keys was found. . (The security risk of the historical version of Phantom Wallet is still being analyzed by the SlowMist security team)

some questions

The SlowMist security team is still collecting more information to analyze the reason why the other 60% of the stolen users were hacked. If you have any ideas, welcome to discuss together, and hope to contribute to the Solana ecosystem together. The following are some questions in the analysis process:

1. Is it a common security issue for Sentry’s service to collect user wallet mnemonics?

2. Phantom uses Sentry, will Phantom wallet be affected?

3. What is the reason for the other 60% of stolen users being hacked?

4. As Sentry is a widely used service, will the official Sentry be hacked? Which led to the targeted invasion of the virtual currency ecosystem?

Reference Information

Known attacker addresses:





Victim’s address:

Solana foundation statistics: (requires access permission)

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-08-04 10:25
Next 2022-08-04 10:27

Related articles