Solana’s $6M Exploit Likely Tied to Slope Wallet, Developers Say

Affected wallets were all confirmed to be either created or used in Slope mobile wallet apps.

AccessTimeIconAug 3, 2022 at 8:00 p.m. UTC
Updated May 11, 2023 at 6:52 p.m. UTC

Developers behind the Solana blockchain are saying the closed-source Slope wallet may be responsible for an ongoing exploit that has resulted in millions of dollars’ worth of crypto tokens being stolen from more than 9,000 hot wallets.

In the second day of the exploit that has caused at least $6 million in various tokens to be stolen from users of the Slope and Slope-tied Phantom wallets, the Twitter account run by the Solana Foundation is blaming the software of the wallets and not its own code for the attack.

“This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network,” the network said in a tweet on Wednesday morning.

The stolen funds were drained from unsuspecting hot wallets, which are wallets whose keys are stored online as opposed to on a hardware device.

In a statement, Slope developers said "a cohort" of wallets was compromised, but the developers didn't confirm whether the private key storage practices may have been involved. A Slope representative told CoinDesk, "we are not storing any personal data on centralized server." (The representative would later admit that this was an incorrect statement.)

Phantom wallet developers, for their part, said they have "reason to believe the reported exploits are due to complications related to importing accounts to and from Slope."

Solana Labs CEO Anatoly Yakovenko initially tweeted that he suspected the hack could be linked to an Apple iOS supply chain issue, but has since narrowed the source to a Slope-related exploit.

A supply chain attack is when a bad actor inserts his or her own malicious code into the software of a larger system. An iOS supply chain attack, in this instance, would likely be an attacker accessing private keys by infiltrating internet-connected data.

Other developers on Twitter increasingly say they believe that Slope stored private keys as plain text on a centralized server, which was compromised by the attacker.

An on-chain sleuth would later reveal that Sentry, a third-party event logging platform connected to Slope, was doing just that.

Several users and organizations have taken to Twitter to collect information from victims of the exploit, though no sort of retribution plan has been laid out. The 9,000 drained wallets make up just a small fraction of the 25 million total Solana hot wallets in existence.

UPDATE (Aug. 3, 2022, 17:02 UTC): Adds statement from Slope.

UPDATE (Aug. 4, 2022, 00:50 UTC): Adds information about Sentry.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Eli Tan

Eli was a news reporter for CoinDesk. He holds ETH, SOL and AVAX.

Read more about