Shocking Security Practices of Some Crypto Wallet

Last week’s events exposed some extraordinarily appalling security practices of trusted wallet provider(s). Sometimes, shit needs to hit the fan before it becomes evident who we can and cannot trust and how we can make better decisions in safeguarding our digital assets.

You Heard of the Recent Solana Hack, Right?

Crypto wallet security is once again the center of discussion after last week’s incident impacting wallets linked to Solana. A major attack hit the Solana ecosystem on the 2nd of August, draining more than $5 million from 8,000 wallets. Stolen assets include SOL (the native cryptocurrency of the Solana blockchain), some NFTs, and over 300 Solana-based tokens. Damn.

As Solana, along with a bunch of security experts inspected the situation, the problem appeared to have mostly impacted mobile wallet users. Reported drained funds came from users of wallets such as Phantom, Slope, and TrustWallet. Somehow, the attacker(s) managed to take control of the 8,000 wallets, initiate transactions, then approve them on the behalf of the end-users.

Further investigation cleared Solana’s name. The blockchain has remained secure, and no bugs were found in its system. Instead, a trusted third-party service has been compromised.

Users’ Seed Phrases Are Sent to a Server… in Plaintext

Horrific. You see, most Web3 users have done their homework. They know that the seed phrase is the most critical password of all because if anyone obtains it, that person has the power to commandeer your account. This is why some people secure it Voldemort-style — splitting phrases into seven parts, writing them down in physical objects, and hiding each one in places no one can ever find.

For those who are confused, a seed phrase is a series of random words generated by your crypto wallet during setup. It’s a master password for you to access all your digital assets in that wallet.

Preliminary findings revealed that Slope Wallet is the weakest link. OtterSec, an independent security research team working on this incident, said, “Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server. These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.”

Did OtterSec just say “plaintext” and “anybody”? Just when you thought you were the only living and breathing being on this planet who knew your private key, anybodywith access to that centralized server can, on a whim, dip into your pocket. And come on… plaintext (as in readable text)? Somebody please tell me they’ve heard what encryption is.

In all seriousness, Slope Wallet logged unencrypted wallet seed phrases in their servers, which a) shouldn’t even be the case since they are a non-custodial wallet, and b) anything unencrypted is exponentially more vulnerable to hacks.

There’s a reason why many choose non-custodial wallets to store digital assets. The objective is so that only you are responsible for your private key or seed phrase because it’s not stored anywhere else. Your digital assets are as secure as you decide. You don’t need to rely on an intermediary; you access your own funds any time of the day, and any time of the year. Period. That’s what it’s supposed to be.

This ridiculous oversight cost its users more than $4 million, and this magnificently disappointing incident leaves many questioning who they can trust.

At this time of writing, it is still unclear how the other affected wallets were breached. Investigators are working on it.

Don’t Settle for Less, Choose Wisely

In the wake of the attack, Solana and Slope advised users to move their funds to a hardware wallet. In principle, yes, that’s a good piece of advice. But it’s not really a convenient option, is it? For one, you have to carry around a physical object (like a thumb drive) — which can easily be misplaced, especially if you’re the forgetful type. Remember James? Yes, the man who accidentally threw out his hard drive with $175 million in Bitcoin — oof. Anyway, the bottom line is, hardware wallets are not for everyone.

For users who engage in Web3 regularly, instant access is a necessity. The system through which we engage has to be user-friendly, low cost, interoperable, and include all the pros of mobile wallets. But it also has to be immune to hacking. Before NEST®, no one has the best of both worlds.

Sounds like a Utopian dream. It isn’t. It’s here… Well, in like a month or two.