Update and Security Notes on Slope Hack For Jet Users
Non-Custodial Wallet Vulnerabilities
You can take every preventative action under the sun while setting up your wallet from a secure OPSEC point of view, but if someone gets the private keys or seed phrase to your wallet, you basically can consider all of your funds lost. Resiliency against these types of incidents tends to manifest through one’s ability to learn from experience and move forward.
That all being said - the sad truth is that if an attacker gets your private keys, not only are the funds sitting in your wallet probably going to be drained, but also any staked funds or funds locked up in protocols will be at risk for the same fate. In the case of Jet Protocol - the protocol is entirely non-custodial and users are in control of their own assets as they interact with Jet. This is also the case with JetGovern, the governance and staking app, which enables JET token holders to directly participate by voting on JetDAO governance proposals.
Possible Impacts to Jet Protocol Users
With Jet Protcol’s borrowing and lending functionality on V2 Beta - users can instantly deposit or withdraw based on available liquidity on the platform - so if the hacker has access to your private keys or seed phrase, they can remove any funds you have deposited into Jet that are available to withdraw at that time.
With JetGovern - JET token funds are locked in a staking module which gives the user the ability to participate in governance through voting and also receive staking rewards, but prohibits the transfer of tokens to external addresses except through un-staking, in which time a user cannot vote.
Even with tokens locked in the JetGovern module, a hacker who has control of a compromised wallet is able to un-stake funds. Once the un-bonding period is complete, a hacker is able to fully remove them.
Actions Jet Protocol Users Should take
If you suspect your wallet may be compromised based on the recent Slope wallet exploit (or for any other reason), you should regularly check your staked/locked funds on Jet Protocol, and all other protocols you use, to monitor if unauthorized activity has begun to move funds from your wallet.
If you see your funds un-staked on JetGovern you should immediately cancel the un-staking process from the JetGovern dashboard.
Here are some tips to follow when taking holistic wallet security into account:
- Hardware wallets are always considered more secure than browser wallets or mobile wallets - plus you can use hardware wallets like Ledger to sign transactions on browser wallets, which enables you to have a full fledged browser experience with hardware wallet security.
- If you’re going to use browser wallets or mobile wallets with seed phrases associated with the private keys, you need to make sure you take the utmost care in recording, storing, securing and making redundant those seed phrases. If you lose access to your seed phrase, your funds are lost forever - period. This is why you should limit any assets you hold on a browser or mobile wallet that you’re not absolutely comfortable losing.
At the time of writing this, there are no active or verified reports from Jet Protocol users that their wallets have been compromised and therefore their positions on Jet V2 Beta or JetGovern staked assets are not at risk. If you have any evidence to the contrary in your own experience please feel free to directly reply to this thread below.