Written by: Go+ Security
Recently, Solana's market value has soared, once surpassing BNB and ranking among the top three in the world. The huge wealth effect has attracted a large number of active players, and also attracted a large number of Wallet Drainer (wallet phishing) gangs to transfer from the EVM chain to Solana, targeting Solana's phishing websites, Airdrop scams have begun to be deployed on a large scale, causing heavy losses to a large number of users. Recently, the GoPlus security team analyzed a number of Solana phishing incidents and found that fraud gangs took advantage of the current incomplete security infrastructure of some Solana wallets to quickly upgrade airdrop deception and implement social account theft. GoPlus summarized the following common Solana phishing incidents. Attack techniques help users effectively avoid related phishing incidents and reduce asset losses.
Attack type
In several recent phishing incidents, GoPlus found that most of the phishing gangs used "deception to receive airdrops" , "fake project websites" , "free draws" , "guided entry through NFT airdrops" , etc. These methods are similar to several common EVM methods. The phishing guidance methods are almost the same. The main difference is that scammers use different mechanisms of Solana and EVM to conduct phishing activities in different ways of "token or authorization transfer" . Here are a few different diversion attacks we've observed.
Inducing transfer of native token Sol
This type of attack is the simplest. After the user links the wallet, the fraud team will calculate the current balance of all $SOL on the front end, and use the function of SystemProgram.transfer to directly complete the transfer of tokens in a certain way. Take a phishing website as an example. This website displays a Swap interface UI. Users often think that they can purchase a certain token at a low price.
But what is actually executed is a simple transfer of $SOL
Inducing transfer of multiple tokens
In addition to stealing the native token $SOL, scammers can also steal all Token assets currently held by the wallet in the same transaction signature. Each transaction on Solana can be composed of multiple instructions, and each instruction can complete a separate logic, such as transfer, program interaction, account creation, etc. This means that the phishing gang is fully capable of inserting multiple operation instructions into the same transaction. For example, if the user holds three different Tokens, then the phishing website only needs to insert multiple operation instructions into the same transaction in the code. Just insert the respective transfer instructions for the three Tokens. In this way, there is no need to defraud a certain asset separately, but this feature can be used to complete a one-time wallet robbery. Like the first inducement, hackers also use various means to trick users into clicking buttons to conduct transactions. We can see that this type of transaction will transfer all assets at once, including not only native $SOL tokens, but also NFT type assets also include token type assets. The fraud team here mainly uses the createTransferCheckedInstruction of Solana SPL Token to complete the transfer instruction structure of non-native assets.
Phantom Trading Simulation
Backpack Trading Simulation
Inducing token account ownership transfer
In addition to direct tokens, GoPlus also discovered that some phishing websites use the createSetAuthorityInstruction operation to package instructions into transactions. The essence of this operation is to transfer the ownership of tokens on the account. Solana's account model is different from EVM. Each account address will have a dedicated Token Account corresponding to each token. The Token Account will have an owner, and the owner is the current account. The Token Account also records the balance and related information of the corresponding Token. The createSetAuthorityInstruction operation can directly transfer the ownership of the current token to another account. The actual final effect is equivalent to transferring all the current tokens to the account. We conducted this operation experiment on Phantom and Backpack respectively. Fortunately, both wallets provided special reminders and warnings.
Even if the user clicks the Ignore and proceed anyway option, the change in balance can still be displayed through transaction simulation.
Notice
The above three types of attack methods are currently used by most mainstream Solana to predict the results through transaction simulation. Users can clearly see the balance changes after clicking, so as long as the user patiently and carefully checks each transaction change As a result, some phishing risks can be relatively avoided because Solana's official JSON RPC interface can provide "transaction simulation" capabilities. However, with the upgrade of phishing scam technology, we have also discovered some very subtle phishing techniques.
Fraudulent token authorization
For users familiar with EVM, token authorization is a common operation, but on Solana, this operation is different. In the Solana network, scammers will take advantage of users' misunderstanding of the EVM authorization mechanism to commit fraud. The phishing website induces users to perform seemingly normal interactions, but actually performs the authorized transaction Delegate through createApproveCheckedInstruction behind the scenes. The key to this technique is that it does not transfer assets directly, but rather gives the attacker permission to control the user's assets. Such attacks are usually hidden behind attractive interactive interfaces, such as pretending to vote, pledge, etc., but in fact quietly changing the account authorization settings.
Once an attacker gains control of a user's assets, they can manipulate them at any time, including transferring or trading them. This type of attack is often difficult to detect in time because it does not result in an immediate transfer of assets. This type of attack often has the widest impact, because the attacker will wait until enough users have been deceived and the amount is large enough before they start to transfer tokens. Users need to be particularly aware that any request to change authorization settings should be cause for alarm, especially on unfamiliar websites or applications. Authorization changes can be seen through transaction simulation, so you need to not only pay attention to direct token balance changes, but also be careful of phishing risks caused by changes in authorization.
Durable Nonce to defraud transaction signatures
Durable Nonce is a feature in the Solana blockchain that allows the creation of a special account to store a durable nonce value that does not expire. In Solana, each transaction requires a recent blockhash as part of the transaction, which is used to ensure the timeliness and uniqueness of the transaction. Typically, this block hash expires after approximately 150 blocks, preventing transactions from being processed. The Durable Nonce mechanism allows the creation of transactions that are valid for a longer period of time by providing a nonce value that does not expire.
In phishing scams, scammers may abuse the Durable Nonce mechanism to induce users to sign transactions that appear to be normal but actually contain malicious operations. Thanks to the use of Durable Nonce, these transactions will not expire due to block hash expiration, giving scammers a longer window to execute the transaction. For example, a scammer might design a transaction that pretends to be a legitimate operation, such as participating in an airdrop or event, but actually the transaction contains instructions to transfer user assets to the scammer. The user signed such a transaction without knowing it, but the user will find that the transaction did not occur on the block at all, because the attacker only got the signature of the transaction, and the transaction itself was not sent to the blockchain. , they can broadcast the transaction to the chain at any time in the future. However, regardless of whether the transaction occurs, we found that this type of signature does not affect the judgment of the transaction simulation results. Several mainstream wallets can still simulate and analyze the transaction itself and inform the results. Therefore, our previous judgment on the transaction simulation results Still an effective methodology.
However, we still discovered an extremely hidden and complex attack method that can "hidden the truth"
Contract upgrade evades trading simulation detection
This method combines the unique characteristics of Durable Nonce and Solana contracts - upgradability . The potential danger of this attack method is further increased by the characteristics of the upgradeable contract. The Durable Nonce mechanism creates a nonce value that holds long-term validity. accounts, allowing trades to remain active for a longer time window. This means that even if a user does not immediately send it to the blockchain when signing a transaction, the transaction can still be broadcast and executed at any time in the future. An attacker can take advantage of this by first asking users to sign a seemingly normal contract transaction. This transaction looks completely harmless when signing. Even mainstream wallets and transaction simulation tools have difficulty warning users in advance when signing. However, after the user signed the transaction, the attacker successfully obtained the signature of the Durable Nonce. At this time, they are not in a hurry to broadcast the transaction onto the chain, but use Solana's contract upgrade function to change the original normal contract into a malicious version. Such malicious contracts can perform operations such as asset transfers. After the upgrade, the attacker sends the signed transaction to the blockchain to perform the malicious operation and achieve his own goals. This type of attack is particularly subtle and poses a significant risk to users, as even experienced users may not recognize the potential risk when signing a transaction. To guard against this attack, users need to carefully scrutinize the reputation and history of the contract, remain suspicious of any unusual trading behavior, and avoid interacting with unknown sources or newly established contracts. At the same time, we also hope that all Solana wallets can pay attention to this attack method and form effective reminders and protect user assets on the wallet side in a timely manner.
Precautions
When faced with phishing attacks on Solana networks, here are some comprehensive precautions that can help minimize the risk:
Be security aware: Always be extremely vigilant about any cryptocurrency-related transactions. Understand the common methods of Solana phishing attacks, such as inducing the transfer of tokens, transfer of token account ownership, defrauding transaction signatures, etc.
Double-check transaction details: Before making any transaction, carefully check the specifics of the transaction. Extra care should be taken with transactions using Durable Nonce or involving contract interactions.
Use the transaction simulation function: Use the transaction simulation function provided by the wallet to carefully review the transaction simulation results. But be aware that this is not a foolproof protection measure, as there are cases where some trading simulations fail.
Pay attention to authorization changes: You must also remain vigilant for operations that change the currency balance after non-transactions. Be particularly careful about authorization changes on unfamiliar websites or applications.
Regularly cancel useless authorizations: Use the tool of Solana Revoke to regularly cancel some useless authorizations to ensure the security of assets.
Regularly update your knowledge: Regularly update your knowledge about blockchain and cryptocurrencies, especially about emerging phishing methods and prevention strategies.
Keep software updated: The wallet and related software used should be kept up to date to ensure it has the latest security features and fixes.
Back up and protect private keys: Protect your private keys and important information and avoid storing or sharing them in unsafe places.
At the same time, the GoPlus security team calls on the Solana public chain and its ecosystem to be deeply concerned about user safety, accelerate the construction of infrastructure to improve user security, and provide users with a safer transaction environment, thereby achieving ecological stability and prosperity.
