Solana’s $6M Exploit Likely Tied to Slope Wallet, Developers Say

Affected wallets were all confirmed to be either created or used in Slope mobile wallet apps.

AccessTimeIconAug 3, 2022 at 8:00 p.m. UTC
Updated May 11, 2023 at 6:52 p.m. UTC

Developers behind the Solana blockchain are saying the closed-source Slope wallet may be responsible for an ongoing exploit that has resulted in millions of dollars’ worth of crypto tokens being stolen from more than 9,000 hot wallets.

In the second day of the exploit that has caused at least $6 million in various tokens to be stolen from users of the Slope and Slope-tied Phantom wallets, the Twitter account run by the Solana Foundation is blaming the software of the wallets and not its own code for the attack.

“This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network,” the network said in a tweet on Wednesday morning.

The stolen funds were drained from unsuspecting hot wallets, which are wallets whose keys are stored online as opposed to on a hardware device.

In a statement, Slope developers said "a cohort" of wallets was compromised, but the developers didn't confirm whether the private key storage practices may have been involved. A Slope representative told CoinDesk, "we are not storing any personal data on centralized server." (The representative would later admit that this was an incorrect statement.)

Phantom wallet developers, for their part, said they have "reason to believe the reported exploits are due to complications related to importing accounts to and from Slope."

Solana Labs CEO Anatoly Yakovenko initially tweeted that he suspected the hack could be linked to an Apple iOS supply chain issue, but has since narrowed the source to a Slope-related exploit.

A supply chain attack is when a bad actor inserts his or her own malicious code into the software of a larger system. An iOS supply chain attack, in this instance, would likely be an attacker accessing private keys by infiltrating internet-connected data.

Other developers on Twitter increasingly say they believe that Slope stored private keys as plain text on a centralized server, which was compromised by the attacker.

An on-chain sleuth would later reveal that Sentry, a third-party event logging platform connected to Slope, was doing just that.

Several users and organizations have taken to Twitter to collect information from victims of the exploit, though no sort of retribution plan has been laid out. The 9,000 drained wallets make up just a small fraction of the 25 million total Solana hot wallets in existence.

UPDATE (Aug. 3, 2022, 17:02 UTC): Adds statement from Slope.

UPDATE (Aug. 4, 2022, 00:50 UTC): Adds information about Sentry.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Eli Tan

Eli was a news reporter for CoinDesk. He holds ETH, SOL and AVAX.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.

Read more about