Now we know: The hack that drained thousands of user wallets (more than 8,000 at writing time) on cryptocurrency platform Solana wasn’t a result some sort of wide-ranging system failure. It was very likely due to egregiously bad security practices by cryptocurrency wallet provider Slope.
According to security company Otter, the hack was due to Slope sending users’ seed phrases in plaintext to a centralized server. A seed phrase is an equivalent to a crypto private key; it’s a string of words that “unlock” the funds in a crypto wallet, allowing whoever owns the phrase to do with them whatever they please. “Plaintext” means that these phrases were sent over the internet unencrypted, making them an easy target for hackers.
In short: Slope did something that no company should ever, ever do, and it cost its users more than $4 million. (For the record, Slope said in an official statement that “nothing is yet firm” regarding the hack, but several other experts agree with Otter.)
The number isn’t massive in the world of cryptocurrencies, where multi-million hacks are commonplace. But the hack was the stuff of nightmares for crypto users, as people’s funds just started randomly disappearing from their wallets, and it took nearly a day for security experts to catch up and figure out what had happened.
So what can you do to make sure such events don’t affect you in the future? No strategy is foolproof, but here’s some advice.
1. Software cryptocurrency wallets can be ridiculously bad when it comes to security
One would think that a company specializing in crypto wallets wouldn’t even send emoji unencrypted, but one would be wrong. Slope appears to have committed one of the worst offenses possible by sending users’ seed phrases unencrypted over the internet.
The lesson to learn here is this: Even when a company is saying security is a priority; even when it’s operating in a space where security is extremely important; even when they pinky swear your funds are safe, you must still remain vigilant.
2. All the cryptography in the world doesn’t help when there’s a weak link
When you set up a crypto wallet, you’ll typically get messages saying you should keep your seed phrase and private key safe and not show it to anyone. You may also see notices that there’s advanced cryptography at work here, and if you lose both your seed phrase and access to your private key, you’ll never be able to get your funds back.
While that may be true in some cases, if the wallet itself mishandles your seed phrase, the most advanced cryptographic safeguards will be of little use.
3. Use a hardware wallet if possible
A hardware cryptocurrency wallet is a device, often similar to a USB stick, that lets you keep, spend and receive crypto coins. It typically offers more security than a software wallet, though it’s a little more complicated to use.
When the Slope attack started hitting user wallets, both Solana and Slope advised users to transfer their funds to a hardware wallet. That’s good advice in principle, but most users don’t have a hardware wallet handy, and ordering one online and receiving it typically takes a few days.
So one thing you can do, especially if you’re handling meaningful amounts of crypto, is to order a hardware wallet before disaster hits. Companies like Trezor and Ledger offer one. Do bear in mind, though, that even hardware wallets can have security holes, and the companies that make them can have bad security practices. For example, Ledger had a horrible data leak in which hackers got a hold of its users’ names, home addresses and other data. On the other hand, Trezor, which has a good security record, does not support Solana as of this writing.
4. Sometimes, a centralized exchange can save you
In crypto, there’s a saying: Not your keys, not your coins. It means that if you keep your coins with a third party, such a centralized crypto exchange, you don’t really control what happens to them.
But in the case of yesterday’s Slope hack, the best thing you could do to protect your coins (if you didn’t have access to a hardware wallet) was to send them to an exchange such as FTX or Binance, as it was unlikely that these exchanges were also affected by the same issue. As a quick safety measure, it was a decent option; you could always move your coins elsewhere after the dust settled.