[GSD-2022-1004952] GSD Request

[GSD-automation]

--- GSD JSON ---
{
  "vendor_name": "Slope",
  "product_name": "Wallet",
  "product_version": "Current version and possibly previous versions",
  "vulnerability_type": "Logging of sensitive information",
  "affected_component": "Wallet",
  "attack_vector": "Access to logging data and server",
  "impact": "Disclosure of seed phrases used to generate cryptographic keys",
  "credit": "",
  "references": [
    "https://twitter.com/slope_finance/status/1554937187283656707",
    "https://slope-finance.medium.com/slopes-official-statement-regarding-the-breach-b964e70af0d6",
    "https://www.coindesk.com/business/2022/08/03/solanas-latest-6m-exploit-likely-tied-to-slope-wallet-devs-say/",
    "https://www.theverge.com/2022/8/4/23291180/solana-cryptocurrency-slope-phantom-wallet-theft-supply-chain-attack",
    "https://twitter.com/0xfoobar/status/1554881291451088896",
    "https://twitter.com/Blokchainaholic/status/1555010999383883777",
    "https://twitter.com/MiamiVice_sol/status/1554957292734271488"
  ],
  "reporter": "kurtseifried",
  "reporter_id": 582211,
  "notes": "",
  "description": "In Slope Wallet, the current version and possibly previous versions the logging of sensitive information (including seed phrases) exist in the wallet software. This can be attacked via access to the logging data  (which is reportedly sent in clear text across the Internet) and the logging server resulting in the disclosure of information including seed phrases used to generate cryptographic keys, allowing attackers access to private wallets and stealing funds (roughly 8000 wallets have been reportedly drained at this time). Users of Slope wallet should immediately and securely generate new wallet addresses in a different wallet software and transfer their funds to the new addresses."
}
--- GSD JSON ---

/cc @kurtseifried

[GSD-automation]

This issue has been assigned GSD-2022-1004952