Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 101Private Key Compromise

Slope Wallet Seed Phrase Leak

~9,231 Solana wallets lost $4.1M after Slope Wallet's app logged users' seed phrases in plain text to a Sentry server, traced back via on-chain forensics.

Date
Victim
Slope Wallet
Chain(s)
Solana
Status
Funds Stolen

Starting at 22:37 UTC on August 2, 2022, attackers drained approximately 9,231 Solana wallets of roughly $4.1 million in SOL and SPL tokens over a four-hour window. The dollar value was small by 2022 standards; the cause turned out to be one of the most embarrassing custody failures in crypto.

What happened

Solana wallet users on Phantom, Solflare and Slope all reported simultaneous drains. The mainnet had not been compromised. None of the wallet codebases contained an obvious shared bug.

The link, traced by on-chain investigators within hours, was that a significant majority of the affected wallets had been generated by, or at some point imported into, Slope Wallet — a mobile wallet provider.

The bug was extraordinary: the Slope mobile app used Sentry as its event-logging service, and logged user seed phrases as part of normal event telemetry — sending them, in plain text, to Sentry's centralised database. Sentry's storage was access-controlled but not encrypted at the field level; anyone with access to the relevant Sentry server could read every Slope user's seed phrase, on demand.

The attacker presumably obtained that access — whether by breaching Sentry, compromising a Slope engineer, or stealing the right API credentials — and used the seed phrases to drain wallets directly.

Aftermath

  • Slope Wallet issued an emergency advisory urging all users to migrate to fresh seed phrases generated outside Slope's app.
  • Users on Phantom and Solflare were affected if they had imported a Slope-generated seed into those wallets — the leak was at the seed, not at the wallet that displayed it.
  • Approximately 1,400 of the 9,231 drained wallets were found in the Sentry logs directly; the discrepancy was never fully explained.
  • Funds were laundered through cross-chain bridges into Tornado Cash.

Why it matters

Slope Wallet is the case study for application telemetry that ignores its blast radius. Logging payloads can drift from "diagnostic metadata" to "literal user secrets" through perfectly normal-looking refactors — and the moment they do, every system that touches the logs becomes part of the wallet's trust boundary. The standard mitigations — explicit field-level allowlists for telemetry, redaction at the SDK level, cryptographic separation of secrets from application data — were all reiterated industry-wide in the weeks after.

Sources & on-chain evidence

  1. [01]solana.comhttps://solana.com/news/8-2-2022-application-wallet-incident
  2. [02]theblock.cohttps://www.theblock.co/post/161425/slope-wallet-provider-saved-user-seed-phrases-in-plain-text-solana-security-researchers-find
  3. [03]blog.sentry.iohttps://blog.sentry.io/slope-wallet-solana-hack/

Related filings