Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

avatar
慢雾科技
2 years ago
This article is approximately 2277 words,and reading the entire article takes about 3 minutes
This article only synchronizes phased investigations with community users.

background overview

On August 3, 2022, a large-scale coin theft incident occurred on the Solana public chain, and a large number of users were transferred SOL and SPL tokens without their knowledge. The SlowMist security team immediately intervened in the analysis, and analyzed the Slope wallet application at the invitation of the Slope team. The analysis showed that: the version of the Slope wallet released on or after June 24, 2022 sent private messages to the third-party application monitoring service. Phenomenon of key or mnemonic information.

However, from the investigation of the Slope wallet application to the present, it is impossible to clearly prove that the root cause of the incident is the problem of the Slope wallet, so the SlowMist security team began to analyze and collect evidence from the Slope server.

Analysis process

After the incident, all parties focused on investigating the root cause of the incident and the possibility of tracking and saving funds. So the SlowMist security team formulated relevant plans and began to investigate and analyze from the off-chain and on-chain parts.

In the direction of incident root investigation, the SlowMist security team focused on the analysis and forensics of the Slope server. There is a lot of complicated work that needs to be advanced, and more clear evidence is needed to explain the root cause of this large-scale theft.

For the possibility of fund tracking and rescue, the SlowMist security team mainly relies on the tracking and analysis capabilities of MistTrack (https://misttrack.io/), the ability to label data and combine intelligence capabilities to try their best to identify and track hackers. Behavior on the chain. And also communicated with the Slope team about the possibility of rescue. The Slope team is also trying to communicate with hackers, hoping to encourage hackers to return assets by issuing bug bounties, and jointly maintain the healthy development of the Solana ecosystem.

This article only synchronizes phased investigations with community users, and there is still a lot of analysis work in progress, and it is constantly advancing. Not only SlowMist, but also other third-party security teams, and some special forces are also working hard to help with the investigation, hoping that this incident will eventually come to a relatively clear conclusion.

Note: The Sentry service mentioned in this article refers to the Sentry service deployed privately by the Slope team, instead of using the official interface and service provided by Sentry.

some doubts

Before synchronizing the analysis, lets answer some questions in the analysis process of the previous article:

1. Is Sentry’s service collecting mnemonic phrases from users’ wallets a common security issue?

Answer: Sentry is mainly used to collect abnormal or error log information that occurs when related application services are running. In the case of incorrect configuration, unexpected data may be collected, such as private keys or mnemonic words. So not a universal security issue. Developers must remember not to enable Debug mode in the production environment when using third-party application monitoring services.

2. Phantom uses Sentry, so will the Phantom wallet be affected?

Answer: Although Phantom uses a third-party application monitoring service, the SlowMist security team has not found any obvious behavior of uploading private keys/mnemonic words by Sentry through monitoring the historical versions of the Phantom wallet.

3. According to the research data provided by Solana Foundation, nearly 60% of the stolen users used Phantom wallets, about 30% of the addresses used Slope wallets, and the remaining users used Trust Wallet, etc. What is the reason for these 60% stolen users to be hacked? Woolen cloth?

Answer: After comparison, it is found that the addresses (including HD addresses) derived from the private key and mnemonic words on the server intersect with the victims address. There are 5 ETH addresses and 1388 Solana addresses. According to the current investigation, there is no clear evidence to explain why some other users wallets were hacked.

4. As Sentry is a very widely used service, could it be that the official Sentry has been hacked? This has led to targeted attacks on the cryptocurrency ecosystem?

Answer: At present, there is no evidence that the official Sentry has been invaded and attacked. The Sentry used by the Slope wallet is an internally built service, so it has no direct relationship with the official service being invaded.

Off-chain analysis section

The off-chain SlowMist security team mainly focuses on checking the possibility of intrusion on off-chain servers and related backends. The focus of the work is to check the risk of peripheral server assets on the Slope server, check the intrusion traces of the server, and analyze the Sentry (PostgreSQL) database. Server mirroring analysis, DNS hijacking possibility analysis. The investigation and analysis are as follows:

1. Peripheral server asset risk investigation

After the Slope team knew that the Slope wallet returned the mnemonic phrase and private key information, it immediately shut down the services related to the Slope wallet. Therefore, the services related to the Slope wallet can no longer be directly accessed. The SlowMist security team relies on Internet search engines and other tools to collect information on Slope’s peripheral server assets, including the subdomain names and IPs under the slope.finance domain name for simulated penetration test analysis and investigation. From the possible intrusion risk points on the periphery, no risk points that can be directly invaded have been found through analysis and penetration testing.

2. Check the intrusion traces of the server

It mainly conducts internal investigations on third-party application monitoring servers, including server login logs, system historical operation commands, suspicious processes, suspicious network connections, suspicious system scheduled tasks, data deletion and acquisition operations, etc. There are also 5 Docker services inside the server. The same intrusion trace investigation. The investigation found several suspicious login IPs: 113.*.*.*, 114.*.*.*, 153.*.*.*, these IPs had accessed the background of the third-party application monitoring service before 06.24. Although this happened before the time (06.24) when the private key and seed phrase were returned, it is still suspicious.

3. PostgreSQL database analysis

Since the mnemonic and private key are returned to the server by the third-party application monitoring service of Slope Wallet, the SlowMist security team also analyzed the possible locations of the private key or mnemonic in the server, and found that the private key or Mnemonic words are likely to be stored in the following positions:

  • In Sentrys database table

  • In the database log of PostgreSQL

  • Among the deleted data of the mirror disk

  • In the data file of the Docker runtime

During the analysis, it was found that the third-party application monitoring service used the PostgreSQL database, and the data field of the nodestore_node table contained the private key and mnemonic data collected by the third-party application monitoring service. The following information was obtained after analysis and investigation:

  • The data content of the private key and mnemonic phrase is recorded in the database of the nodestore_node table from 2022.7.28 to 2022.8.5.

  • Through decrypting and analyzing the data, the SlowMist security team found that the earliest data recorded in the private key or mnemonic data was the data uploaded on June 29, 2022, which means that the data collected by Sentry on June 29 was delayed by one month It was only stored in the nodestore_node table of the PostgreSQL database on 2022.7.28, but this part of the delayed data accounted for less, and most of the private key and mnemonic collection time was concentrated on 2022.07.28 - 2022.08.05.

  • After further investigation of the database operation log, it was found that before 7.28, there was a record of SQL statement execution failure in the nodestore_node table. The reason was a key-value conflict. After in-depth investigation and communication, it was found that the data was not written due to an error in the Kafka service.

  • Since part of the data cannot be recovered temporarily during log recording and data recovery, the data needs to be further repaired, so the data that can be fully recovered is prioritized for decryption. The number of decrypted addresses is 189 ETH addresses and 4914 Solana Address, there are 5073 sets of mnemonic words, and the wallet address of the hacking incident on the chain has 42 ETH addresses and 9231 Solana addresses. After comparison, it is found that the private key on the server and the mnemonic words are derived from the address (including HD address) The addresses intersecting with victims are 5 ETH addresses and 1388 Solana addresses. (This does not contain a small number of data that needs to be repaired before decryption)

  • In the database operation log, it was also found that com.slope.game, another internal test application, also had private key and mnemonic report data in March, but this internal test application has not been released to the public.

4. Server image analysis

The SlowMist security team analyzed the image of Sentrys cloud server and recovered the deleted data on the server disk, and found private key and mnemonic information in the recovered data.

5. Possibility Analysis of DNS Hijacking

The SlowMist security team has used the capabilities of all parties and global intelligence resources, including the query and analysis of DNS resolution data. At present, there is no clear evidence to prove that the domain name o7e.slope.finance has ever had a DNS hijacking incident.

Staged conclusions of off-chain investigation and analysis:

As far as the current investigation and analysis are concerned, no risk points where peripheral servers can be directly invaded have been found; no traces of server intrusion have been found, but suspicious IPs (113.*.*.*,114.*.*.* ,153.*.*.*) Still need to continue the investigation; DNS hijacking is less likely; private key and mnemonic information have been found in database tables, database log files, and recovered data from disk deleted files.

On-chain analysis section

The part on the chain mainly focuses on risk fund assessment, stolen fund transfer and hacker trace analysis, focusing on the following points:

1. Venture capital assessment

According to the stolen funds of the Solana chain, ETH chain, and BSC chain, the SlowMist security team divides the risk funds into the following two categories:

  • Risky Funds: Funds where the hacker has address authority.

  • Suspected Risk Funds: Funds where hackers may have address authority.

  • Venture capital assessment based on the following list of addresses (mainly Solana chain, ETH chain):

  • Stolen address mnemonic maps to addresses of other chains

  • The address derived from the stolen address mnemonic through the derivation path

Exclude the list of venture capital addresses, and conduct suspected venture capital assessments based on the following address lists (mainly Solana chain, ETH chain):

  • The address where the mnemonic/private key record exists on the Slope server

  • The mnemonic phrase existing on the Slope server is mapped to the address of other chains

  • The address derived from the mnemonic phrase existing on the Slope server through the derivation path

No large amounts of funds that could be transferred at risk and funds that may be at risk were found.

2. Stolen funds statistics

In order to avoid the impact of some junk coins on stolen funds, we only count the stolen funds of mainstream currencies in the statistical process:

  • Solana chains: SOL, USDC, USDT, BTC, and ETH.

  • ETH chains: ETH, USDT, USDC, and PAXG.

The value of the stolen currency is the price on the day of the theft (00:00 AM on August 3, UTC time).

  • 1 SOL = $38.54

  • 1 BTC = $22,846.51

  • 1ETH = $1,618.87

  • 1 PAXG = $1,759.64

  • 1 BNB = $298.36

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

Analyze the addresses (including HD addresses) derived from the decrypted private key and mnemonic on the Slope server and the victim addresses on the chain, and the intersection addresses include 5 ETH addresses and 1388 Solana addresses. The statistics of the stolen funds for these overlapping addresses are as follows. The stolen funds account for 31.42% of the total stolen funds.

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

3. Fund transfer analysis

Solana chain:

The funds have not been further transferred as of the time of publication.

ETH chain:

  • 21,801 USDT was transferred to the personal wallet address (according to the behavior characteristics on the chain and MistTracks labeling ability, this address is suspected of being an OTC transaction address). The SlowMist security team is communicating and cooperating with all parties to trace the identity of the hacker.

  • Most of the remaining funds are converted to ETH and transferred to Tornado.Cash.

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

BSC chain:

The funds have not been further transferred as of the time of publication.

4. Timeline analysis on the hacker chain

According to the behavior of hackers on the chain, the timeline is sorted out as follows:

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

5. Hacker trace analysis

The list of hacker addresses is as follows:

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

The list of suspected hacker addresses is as follows:

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

first transfer in

The first transfer transactions on the chain of Solana chain hacker wallets 1, 2, 3, and 4 are all transfers of 0.1 SOL from Solana chain suspected hacker wallets. According to the analysis of traces on the chain, it is estimated that the suspected hacker wallet on the Solana chain may be the hackers address, and it is more likely to be the victims address.

Hackers use tools in the money laundering process

  • TransitSwap

  • Uniswap

  • MetaMask Swap

How hackers launder money

  • Transfer to suspected OTC personal wallet address (mentioned above).

  • Transfer to Tornado.Cash.

Correlation between hacker address and exchange/platform

directly related to:

  • TRON chain, hackers deposit USDT to Binance on August 5

Deposit address: TE4bkS2PYqWxijgh5eqEz9A5jLn7HcS6fn

Deposit transaction: b6615bf10b2e619edc9315a08f89732664adc9d385c980f77caa6e82872fe376

  • TRON chain, hackers withdraw TRX from Binance on August 5

Withdrawal transaction: 0e012643a7db1b8c5d1f27447b16e313d4b3f89efaa22b3661188fe399cd2d0e

  • ETH chain, hackers withdraw ETH from Binance on August 5

Withdrawal transaction: 0xd035e009173e968d8f72de783f02655009d6f85ef906121e5b99b496a10283dd

  • ETH chain, hackers withdraw USDC from Binance on August 8

Withdrawal transaction: 0xff60f24f8ebd874a1e5da8eae44583af554af9a109a9bd7420da048f12c83cdc

  • ETH chain, hackers withdraw USDC from Binance on August 10

Withdrawal transaction: 0xc861c40c0e53f7e28a6f78ec9584bfb7722cec51843ddf714b9c10fc0f311806

  • TRON chain, hackers withdraw USDT from Binance on August 10

Withdrawal transaction: 10c4186e4d95fb2e4a1a31a18f750a39c0f803d7f5768108d6f219d3c2a02d26

Indirect connection:

  • Solana chain suspected hacker wallet withdraws SOL from Binance on January 8

Withdrawal transaction: 668jpJec7hiiuzGDzj4VQKSsMWpSnbzt7BLMGWQmrGvHVQQbNGc3i1g8dCj2F5EAxFT8oDG5xWPAeQUMEMBTjhZs

  • The Solana chain is suspected to have traces of hacker wallets interacting with the Solrazr IDO program

Transaction: 2LxLhL7oAiTyHGrAXCZEJyazQQLM7veaKvqUZL6iPkonL4wPLHcwV66MFX3ERyWvJtdd2wFdKfgKUuT1oAv2XepK

  • image description

Slow Mist: Follow-up analysis of the large-scale coin theft incident on the Solana public chain

Intelligence association of suspected OTC personal wallet addresses

According to the relevant information obtained by SlowMist, the suspected OTC personal wallet address (TGBrAiVArhs5Cqp2CGMYUpSmkseznv1Ng7) is related to multiple cases of money laundering in China, including phone fraud, USDT theft and TRC20 theft.

Attachment - Analysis data source on the chainHacking Solana chain transaction record summary tableOriginal link

Original link

Original article, author:慢雾科技。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks