Security Team: The sentry service of Slope Wallet (Android, Version: 2.2.2) has a private key leak

[Security Team: Slope Wallet (Android, Version: 2.2.2) sentry service has a private key leak] On August 4th, SlowMist released an analysis of the Solana attack incident. According to the data provided by the Solana Foundation, the stolen users About 60% use Phantom, about 30% use Slope, and the rest use Trust Wallet, Coin98 Wallet, etc. IOS and Android are not spared.

When analyzing Slope Wallet (Android, Version: 2.2.2), it is found that it uses the service of sentry. Sentry is a widely used service that runs on "o7e.slope[.]finance". Sentry's service collects sensitive data such as mnemonic words and private keys from the Slope wallet, and sends them to https://o7e.slope[.]finance/api/4/envelope/ when creating the wallet, and finds the Version: The sentry service in the >=2.2.0 package will collect mnemonic words and send them to “o7e.slope[.]finance”, while Version:2.1.3 does not find any obvious behavior of collecting mnemonic words or private keys. Slope Wallet(Android, >= Version: 2.2.0) was released after 06/24/2022, so Slope users after that date are affected.

For the other 60% of users who use Phantom Wallet, after analyzing the Phantom (version: 22.07.11_65) wallet, it is found that Phantom (Android, version: 22.07.11_65) also uses the sentry service to collect user information, but no obvious collection aids have been found so far. The act of memorizing words or private keys.

Other news:

Security team: The private key of the paraswap deployer is suspected to have been leaked, and the funds were stolen on multiple chains: October 11 news, according to the monitoring of the Supremacy security team, on October 11, 2022, the address of the paraswap deployer was in multiple chains (ETH, BSC, FTM) initiated abnormal transactions, and transferred all balances in their addresses to 0xf35875a064cdbc29d7174f5c699f1ebeaa407036 address. After analysis, the address is the address of the Profanity vulnerability exploiter, and its historical records have traces of stealing the assets of multiple high-profile addresses. After investigation, only the assets of the paraswap deployer's address have been stolen, which does not affect the paraswap multi-signature vault (signature threshold is 2), but it does not rule out that other multi-signature addresses are also generated by Profanity, so the multi-signature vault may also be at risk. At present, the Supremacy team has contacted the paraswap official to convey the information, and once again appeals to everyone to replace the address generated by Profanity in time, and the attack on the Profanity address is still ongoing. [2022/10/11 10:30:53]

Security Team: Zebra's official Discord was hacked: Golden Finance News, according to CertiK Alert data monitoring, Zebra's official Discord was hacked, warning users not to click links, mint or approve any transactions. [2022/9/4 13:07:42]

Poly Network attackers: It is rare to see professional security teams report key vulnerabilities of contracts that have already been launched: Poly Network attackers leave information on the chain again, the main contents are as follows:

1. The FBI made no attempt to contact me. I'm glad they and other security teams might benefit from this "game". Even the attack itself was "a treat" for the researchers.

2. For me, it is interesting to watch the emergency response of top security teams (only in the blockchain industry of course).

NOTE: The following timelines may be wrong:

3. In the beginning, most experts were talking about a single Keeper of an insider conspiracy. From what I've seen, @kelvinfichter was the first to point out the most critical yet most obvious error in the ETH contract. The SlowMist team announced good news about the funding trail. But don't they think it's too obvious? Regardless, they calmed the community down. This is an unintended side effect, but very important. Later, they appeared to be busy dealing with inquiries from the media and the community. I'm glad they're helping me with the mentoring or education part. It's as if the Dark Knight found his Harvey Dent (DC villain Two-Face)! Thank you SlowMist team. Other security teams appeared to be less active-ethexc than SlowMist, but they contributed to explaining more details about the attack. I think Certik was the first team to post about missing ontology calls. Piedun also mentioned launch deals and special signatories. Strong!

4. Security is hard work, both in the traditional world and in the encrypted world. In most cases, security experts are only called afterward as forensics, writing "post-mortem reports" and sometimes tracking down the perpetrators. There are also some projects that are not very eager to get their money back because it is not their money, and they will tell the real victim: "Sorry, we tried, but we can't guarantee extreme security".

Another interesting fact is that it is rare to see any professional security team reporting critical vulnerabilities of live contracts. Of course, they can always tell you the cause of death "after death" of these items. Why don't you see cases where security teams find multi-million dollar or even billion-dollar vulnerabilities? For not paying? I think most security teams are richer than I am, and some may be more capable than I am, would you believe they have never faced similar temptations? Or did some of them succumb to evil? This is reminiscent of the movie "Network Mystery". This is just my conspiracy theory, which is why I don't trust anyone, but you can always trust me. [2021/8/14 1:54:59]