Home Blockchain Why unsuspecting data leaks are the key to rampant blockchain hacks

Why unsuspecting data leaks are the key to rampant blockchain hacks

Why unsuspecting data leaks are the key to rampant blockchain hacks

Last month, the Solana blockchain faced yet another attack in a series of recent attacks targeting blockchains. Blockchains are the ultimate record of crypto assets and recording transactions from one wallet to another on the ledger ensures that money is transferred and the transaction remains virtually anonymous.

It is an absolute gem for criminals because 1) few financial and security regulations exist in this modern world of decentralized finance (DeFi) at present; 2) the anonymity on the blockchain guarantees a very difficult investigative trajectory and almost no way to determine where the money really went.

Imagine hundreds of DB Coopers jumping from hundreds of planes every day with bags full of cash 😀

The main vectors of blockchain attacks are smart contract vulnerabilities, protocol and design flaws, cryptography-related bugs, sweepstakes scams, and more. Of these, wallet compromises and key leaks together accounted 14% of total attacks last year!


On August 3, approximately US$6 million worth of SOL, BTC, ETH, USDT and other currencies on Solana as well as Ethereum blockchains were hijacked from thousands of individual wallets and transferred to the hacker wallets and eventually were sent to various money launderers. wallets.

SlowMist was the first to report this attack and begin investigations. While a thorough investigation is still ongoing, some undeniable facts have emerged about how the attack happened. The key to the attack as well as the discovery of the attack is the Slope wallet app which boasts of being “Robinhood of DeFi”.

The steep “slope” of trust

Like thousands of other apps, Slope used a log monitoring tool called Sentry to track various events in the app. This is a common practice and not considered harmful in itself. However, note that technically anything the app produces when interacting with a human can be tracked and sent to a corresponding log tracking server.

In this case, the Slope Wallet from v2.2.0+ was stealthily collecting sensitive data such as mnemonics and private keys from the app and sending it to their own hosted Sentry server. On sentry specifically recommend users to clean sensitive data, it is objectively difficult to implement each advice.

Additionally, different applications will have different definitions and requirements for what data is considered sensitive. It’s impossible to really create a generic guideline on what to record and what not to record. However, in this case, logging mnemonics are absolutely a safe way to provide a springboard for an attacker to mount attacks on wallets.

What is a mnemonic?

A mnemonic is usually a collection of 12 words that a user can choose from when creating a new crypto wallet. In case a user cannot use the password, he can use the mnemonic to recover the wallet. It provides a more user-friendly recovery system in the absence of a centralized password storage and recovery system. It’s so crucial that some people use metal seed plates to store their mnemonics.

Although SlowMist’s investigation is not yet complete, there is no doubt that the decision to record mnemonics was dangerous. Analysis suggests that approximately 31% of known compromised victim wallets were the same ones found in Sentry logs. Therefore, the mnemonic leak could simply be a correlation or could in fact be the root cause. We won’t be surprised anyway. Here’s how someone able to access the hosted sentinel server could have accessed it:

But, we know the developers and we sympathize with them. It’s not their fault – the coding paradigm of this era is complex. Modern software is built on layers and layers of libraries and other code. Logging has gone from printing something pretty on a local console in a basement machine to monitoring billions of actions in millions of devices and machines running around the world. Accurate data is collected on all user actions and their details – sometimes as damning as critical wallet details. The data has now left the application boundaries. And it doesn’t come back.

How to fix this?

No amount of operational security and privacy policies alone can help solve this problem. The nature of modern software precludes detailed manual review of these leaks. What we need are tools that give us visibility into what is happening to data in large code bases so that privacy/security engineers or a developer themselves can identify specific points of possible leaks before that they do not occur. This left-shift approach has been used before in security – now it’s time to implement it for data and privacy.

Hunting for a mnemonic leak using Privado Open Source

While we can’t really get the source for the Slope app, we can certainly try recreating the scenario with a sample app. Let’s take this simple bitcoin wallet app I modified and add Sentry logging to an imaginary endpoint:

Here we can see that the user’s mnemonic might “accidentally” leak to the Sentry service it is running. Imagine that, but deep within the layers of your application. So every time a user would create a new wallet and get a 12 word mnemonic (which is basically a key to retrieve the wallet) there is a risk that it will be logged in their central logging infra.

One way to find this type of leak now is to use the open source tool Privado. A developer can run a privacy scan and start exploring the data they discover and visually see if something like a mnemonic is passed to a third-party logging service, as shown below:

To try it yourself on this sample BitcoinWallet app or to find data leaks in your own Java apps, go to Repo Privado OSS and try it. In addition to out-of-the-box discovery, there are hundreds of custom sources and sinks that can be defined as rules in Privado. If you come across interesting data sources and data sinks that you would like to add, please feel free to contribute to the project and submit pull requests.

In this example, to track a wallet mnemonic, I simply had to add the above rule in a rules YAML file and data tracking worked all the way to the Sentry well!

Now is the time to bring a privacy engineering tool to every developer and data security analyst so that we can collectively ensure that private app data stays private from day one of development.

Band Created with Sketch.


Please enter your comment!
Please enter your name here