Original title: "GoPlus: Solana Anti-Phishing Guide"
Original source: GoPlus Security
Recently, Solana's market value has soared, surpassing BNB to rank among the top three in the world. The huge wealth effect has attracted a large number of active players, and even attracted a large number of Wallet Drainer (wallet phishing) groups to transfer from the EVM chain to Solana. Phishing websites and airdrop scams targeting Solana have begun to be deployed on a large scale, causing heavy losses to a large number of users. Recently, the GoPlus security team analyzed many Solana phishing incidents and found that the fraud gangs took advantage of the imperfect security infrastructure of some Solana wallets to quickly upgrade airdrop scams and implement social account theft. In response, GoPlus summarizes the following common Solana phishing attack methods to help users effectively avoid related phishing incidents and reduce asset losses.
Attack Types
In several recent phishing incidents, GoPlus found that most of the phishing gangs used "tricking to claim airdrops", "fake project websites", "free draws", "entering through NFT airdrops", etc. These methods are almost the same as several common phishing methods of EVM. The main difference is that the scammers use the different mechanisms of Solana and EVM to conduct phishing activities in different ways of "token or authorized transfer". The following are several different transfer attack methods we have observed.
Inducing the transfer of the native token Sol
This type of attack is the simplest. After the user links the wallet, the fraud team will calculate the current balance of all $SOL on the front end, and use the SystemProgram.transfer function to directly complete the transfer of tokens. For example, a phishing website displays a Swap interface UI, and users often think that they can buy a certain token at a low price.
But in fact, it is just a simple transfer of $SOL
Inducing the transfer of multiple tokens
In addition to stealing the native token $SOL, the scammers can steal all the token assets currently held by the wallet in the same transaction signature. Each transaction on Solana can be composed of multiple instructions, and each instruction can complete a separate logic, such as transfer, program interaction, and Account creation. This means that the phishing gang is fully capable of inserting multiple operation instructions into the same transaction. For example, if the user holds three different tokens, the phishing website only needs to insert the transfer instructions of the three tokens into the same transaction in the code. In this way, there is no need to defraud a certain asset separately, but this feature can be used to complete a one-time wallet robbery. Like the first inducement, hackers also use various means to deceive users into clicking the button to trade. We can see that this type of transaction will transfer all assets at once, including not only the native $SOL token, but also NFT type assets and token type assets. Here, the fraud team mainly used the createTransferCheckedInstruction of Solana SPL Token to complete the construction of the transfer instruction for non-native assets.
Phantom Trading Simulation
Backpack Trading Simulation
Inducing the transfer of token account ownership
In addition to direct tokens, GoPlus also found that some phishing websites used the createSetAuthorityInstruction operation to package the instruction into the transaction. The essence of this operation is to transfer the ownership of the tokens on the account. Solana's account model is different from EVM. Each account address has a dedicated Token Account corresponding to each token. The Token Account has an owner, which is the current account. The Token Account also records the balance and related information of the corresponding Token. The createSetAuthorityInstruction operation can directly transfer the ownership of the current token to another account. The actual final effect is equivalent to transferring all the current tokens to the account. We conducted this operation experiment on Phantom and Backpack respectively. Fortunately, both wallets have made special reminders and warnings.
Even if the user clicks the Ignore and proceed anyway option, the balance change can still be displayed through transaction simulation
Notice
Most of the mainstream Solanas currently have the ability to predict the results of the above three types of attacks through transaction simulation. Users can clearly see the balance changes after clicking. Therefore, as long as users patiently and carefully check the results of each transaction change, they can relatively avoid some phishing risks. This is because Solana's official JSON RPC interface can provide the ability of "transaction simulation". However, with the upgrading of phishing fraud technology, we have also discovered some very difficult to detect phishing techniques.
Fraudulent token authorization
Token authorization is a common operation for users familiar with EVM, but it is different on Solana. In the Solana network, scammers take advantage of users' misunderstanding of the EVM authorization mechanism to commit fraud. Phishing websites induce users to perform seemingly normal interactions, but in fact they execute the authorization transaction Delegate through createApproveCheckedInstruction behind the scenes. The key to this method is that it does not directly transfer assets, but instead gives attackers control over user assets. This type of attack is usually hidden behind an attractive interactive interface, such as pretending to vote, pledge, etc., but in fact it quietly changes the authorization settings of the account.
Once an attacker gains control of a user's assets, they can manipulate them at any time, including transferring or trading them. This type of attack is often difficult to detect in a timely manner because it does not immediately result in an asset transfer. This type of attack also tends to have the widest impact because the attacker will wait until enough users are deceived and the amount is large enough before starting to transfer tokens. Users need to be particularly careful and be wary of any request to change authorization settings, especially on unfamiliar websites or applications. Authorization changes can be seen through transaction simulations, so it is necessary not only to pay attention to direct token balance changes, but also to be careful of phishing risks caused by authorization changes.
Durable Nonce to defraud transaction signatures
Durable Nonce is a feature in the Solana blockchain that allows the creation of a special account to store a persistent, non-expiring nonce value. In Solana, each transaction requires a recent blockhash as part of the transaction, which is used to ensure the timeliness and uniqueness of the transaction. Typically, this blockhash expires after about 150 blocks, making the transaction unable to be processed. The Durable Nonce mechanism allows the creation of transactions that can be valid for a longer period of time by providing a nonce value that does not expire.
In phishing scams, scammers may abuse the Durable Nonce mechanism to trick users into signing transactions that appear normal but actually contain malicious operations. Because of the use of Durable Nonce, these transactions will not expire due to the expiration of the block hash, giving scammers a longer time window to execute transactions. For example, scammers may design a transaction disguised as a legitimate operation, such as participating in an airdrop or event, but in fact the transaction contains instructions to transfer user assets to the scammer. The user signed such a transaction without knowing it, but the user will find that the transaction did not occur on the block at all, because the attacker only got the signature of the transaction, and the transaction itself was not sent to the blockchain. They can broadcast the transaction to the chain at any time in the future. However, regardless of whether the transaction occurs, we found that this type of signature does not affect the judgment of the result of the transaction simulation. Several mainstream wallets can still simulate and parse the transaction itself and inform the results. Therefore, our previous judgment on the results of transaction simulation is still an effective methodology.
However, we still found an extremely hidden and complex attack method that can "hide the truth"
Contract upgrade to evade transaction simulation detection
This method combines Durable Nonce and the unique feature of Solana contracts - upgradeability. The potential danger of this attack method is further increased by the feature of upgradeable contracts. The Durable Nonce mechanism allows transactions to remain valid for a longer time window by creating an account that holds a long-term valid nonce value. This means that even if the user does not send the transaction to the blockchain immediately when signing, the transaction can still be broadcast and executed at any time in the future. Attackers can take advantage of this and first let the user sign a seemingly normal contract transaction. This transaction looks completely harmless when signed. Even mainstream wallets and transaction simulation tools have difficulty warning users in advance when signing. However, after the user signs the transaction, the attacker successfully obtains the signature of the Durable Nonce. At this time, they are not in a hurry to broadcast the transaction to the chain, but use Solana's contract upgrade function to change the original normal contract to a malicious version. This malicious contract can perform operations such as asset transfer. After the upgrade, the attacker sends the signed transaction to the blockchain to execute the malicious operation and achieve his own goals. This type of attack is particularly insidious and poses a great risk to users, as even experienced users may not be able to identify potential risks when signing transactions. To prevent this type of attack, users need to carefully review the reputation and history of the contract, be skeptical of any unusual transaction behavior, and avoid interacting with unknown sources or newly established contracts. At the same time, we also hope that all Solana wallets can pay attention to this attack method and form effective reminders and protection of user assets on the wallet side in a timely manner.
Precautions
Here are some general precautions to help minimize the risk when facing phishing attacks on the Solana network:
Improve security awareness: Always be highly vigilant for any cryptocurrency-related transactions. Understand the common methods of Solana phishing attacks, such as inducing token transfers, token account ownership transfers, and defrauding transaction signatures.
Carefully check transaction details: Before making any transaction, carefully check the specific contents of the transaction. Be extra careful about transactions that use Durable Nonce or involve contract interactions.
Use the transaction simulation function: Use the transaction simulation function provided by the wallet and carefully review the transaction simulation results. However, please note that this is not a foolproof protection measure because some transaction simulations may fail.
Pay attention to authorization changes: You should also be vigilant about operations that change the balance of tokens other than transactions. Be especially careful about authorization changes on unfamiliar websites or applications.
Regularly cancel useless authorizations: Use the Solana Revoke tool to regularly cancel some useless authorizations to ensure the security of assets.
Update your knowledge regularly: Regularly update your knowledge about blockchain and cryptocurrency, especially about emerging phishing methods and prevention strategies.
Keep your software updated: Wallets and related software used should be kept up to date to ensure that you have the latest security features and fixes.
Back up and protect private keys: Protect your private keys and important information, and avoid storing or sharing them in unsafe places.
At the same time, the GoPlus security team called on the Solana public chain and its ecosystem to pay deep attention to user safety, accelerate the construction of infrastructure to improve user safety, and provide users with a safer trading environment, so as to achieve ecological stability and prosperity.
Original link
