Original Title: "GoPlus: Solana Anti-Phishing Guide"

Original Source: GoPlus Security

Recently, the market value of Solana has skyrocketed, surpassing BNB to rank among the top three globally. The huge wealth effect has attracted a large number of active players, as well as a large number of Wallet Drainer groups who have transferred from EVM to Solana. Phishing websites and airdrop scams targeting Solana have begun to be deployed on a large scale, causing significant losses to many users. Recently, the GoPlus security team analyzed multiple phishing incidents on Solana and found that the scam groups took advantage of the incomplete security infrastructure of some wallets on Solana to quickly upgrade airdrop scams and implement social account theft. GoPlus has summarized the following common phishing attack methods on Solana to help users effectively avoid related phishing incidents and reduce asset losses.

Attack Types

In recent phishing incidents, GoPlus found that most phishing groups use methods such as "enticing to receive airdrops", "fake project websites", "free lottery", "guided entry through NFT airdrops", etc. These methods are almost identical to the common phishing methods of EVM, with the main difference being that scammers use different "token or authorization transfer" methods to conduct phishing activities due to the different mechanisms of Solana and EVM. Here are several different transfer attack methods we have observed.

Inducing Transfer of Native Token Sol

This type of attack is the simplest, where the fraud team calculates the current balance of all $SOL after the user links their wallet, and directly transfers the tokens using the SystemProgram.transfer function. Taking a phishing website as an example, the website displays a Swap UI interface, and users often think that they can buy a certain token at a low price.

But in reality, only a simple transfer of $SOL is executed.

Inducing transfer of multiple tokens

Aside from stealing the native token $SOL, scammers can also steal all the Token assets currently held in the same transaction signature of the wallet. Each transaction on Solana can consist of multiple instructions, with each instruction completing a separate logic such as transfer, program interaction, and account creation. This means that phishing groups have the ability to insert multiple operation instructions into the same transaction. For example, if a user holds three different Tokens, the phishing website only needs to insert three separate transfer instructions for each Token into the same transaction code. This way, there is no need to individually scam a specific asset, but instead, this feature can be used to complete a one-time wallet looting. Similar to the first type of inducement, hackers also deceive users into clicking buttons to complete the transaction through various means. We can see that this type of transaction will transfer all assets at once, including not only the native $SOL token but also NFT and token-type assets. The scam team mainly uses the Solana SPL Token's createTransferCheckedInstruction to complete the transfer of non-native assets instruction construction.

Phantom Trading Simulation

Backpack Trading Simulation

Inducing transfer of token ownership

除了直接代币外，GoPlus also discovered that some phishing websites use the createSetAuthorityInstruction operation to package instructions into transactions. The essence of this operation is to transfer ownership of the tokens on the account. Solana's account model is different from EVM, where each account address corresponds to a dedicated Token Account for each token, and the Token Account has an owner, which is the current account. The Token Account also records the balance and related information of the corresponding token. The createSetAuthorityInstruction operation can directly transfer ownership of the current token to another account, effectively transferring all of the current token to that account. We conducted this operation experiment on both Phantom and Backpack, and fortunately, both wallets provided special reminders and warnings.

Even if the user clicks the "Ignore and proceed anyway" option, the balance changes can still be displayed through transaction simulation.

Attention

The above three types of attack methods can currently be predicted by most mainstream Solana through transaction modeling. Users can clearly see the balance changes after clicking, so as long as users carefully check the results of each transaction change, they can relatively avoid some phishing risks. This is because Solana's official JSON RPC interface can provide the ability to "simulate transactions". However, with the upgrade of phishing and fraud technology, we have also discovered some very difficult-to-detect phishing techniques.

Deceiving Token Authorization

For users familiar with EVM, token authorization is a common operation, but on Solana, this operation is different. In the Solana network, scammers take advantage of users' misunderstandings of the EVM authorization mechanism to commit fraud. Phishing websites induce users to perform seemingly normal interactive operations, but in the background, they execute authorization transactions Delegate through createApproveCheckedInstruction. The key to this technique is that it does not directly transfer assets, but grants the attacker permission to control the user's assets. These types of attacks are usually hidden behind tempting interactive interfaces, such as pretending to vote, pledge, etc., but actually silently changing the account's authorization settings.

Once the attacker gains control over the user's assets, they can manipulate these assets at any time, including transferring or trading them. This type of attack is often difficult to detect in a timely manner because it does not immediately result in asset transfers. These attacks also often have the widest impact because attackers wait until enough unsuspecting users and large amounts of funds are involved before initiating token transfers. Users need to be particularly cautious of any requests to change authorization settings, especially on unfamiliar websites or applications. Through transaction modeling, changes in authorization can be seen, so it is important to not only pay attention to direct token balance changes, but also be wary of phishing risks caused by changes in authorization.

Durable Nonce Stealing Transaction Signatures

Durable Nonce is a feature in the Solana blockchain that allows for the creation of a special account to store a persistent and non-expiring nonce value. In Solana, every transaction requires a recent blockhash as part of it to ensure timeliness and uniqueness. Typically, this blockhash expires after around 150 blocks, rendering the transaction unprocessable. The Durable Nonce mechanism allows for the creation of transactions that remain valid for a longer period of time by providing a non-expiring nonce value.

In phishing scams, scammers may abuse the Durable Nonce mechanism to induce users to sign transactions that appear normal but actually contain malicious operations. Due to the use of Durable Nonce, these transactions will not expire due to block hash expiration, giving scammers a longer window of time to execute transactions. For example, scammers may design a transaction disguised as a legitimate operation, such as participating in an airdrop or activity, but the transaction actually contains instructions to transfer the user's assets to the scammer. Users sign such transactions without realizing it, but they will find that the transaction did not occur on the blockchain because the attacker only obtained the signature of the transaction and did not send the transaction to the blockchain. They can broadcast the transaction to the chain at any time in the future. However, we found that this type of signature does not affect the judgment of the transaction simulation result, and several mainstream wallets can still simulate and parse the transaction itself and inform the result. Therefore, our previous judgment of the transaction simulation result is still an effective methodology.

However, we have still discovered an extremely covert and complex attack method that can "hide the sky and cross the ocean".

Contract Upgrade Evasion Trading Simulation Detection

This method combines the features of Durable Nonce and Solana's unique contract feature - upgradability. The potential danger of this type of attack is further increased due to the upgradability feature of the contract. The Durable Nonce mechanism allows transactions to remain valid for a longer period of time by creating an account that holds a long-term valid nonce value. This means that even if the user does not immediately send the transaction to the blockchain when signing the transaction, the transaction can still be broadcast and executed at any time in the future. Attackers can take advantage of this by first having the user sign a seemingly normal contract transaction that appears harmless when signed, even mainstream wallets and transaction simulation tools may not be able to warn users in advance when signing. However, after the user signs the transaction, the attacker successfully obtains the signature of the Durable Nonce. At this point, they are not in a hurry to broadcast the transaction to the chain, but instead use Solana's contract upgrade function to change the originally normal contract to a malicious version. This malicious contract can perform operations such as asset transfers. After the upgrade, the attacker sends the signed transaction to the blockchain to execute the malicious operation and achieve their goal. This type of attack is particularly insidious and poses a great risk to users, as even experienced users may not be able to identify potential risks when signing transactions. To prevent this type of attack, users need to carefully review the reputation and history of the contract, maintain a skeptical attitude towards any unusual transaction behavior, and avoid interacting with contracts from unknown sources or newly established contracts. At the same time, it is hoped that all Solana wallets can pay attention to this attack method and form effective reminders and protection for user assets in a timely manner.

Preventive Measures

When facing phishing attacks in the Solana network, here are some comprehensive preventive measures that can help minimize risks:

Improve security awareness: Always remain highly vigilant for any cryptocurrency-related transactions. Understand common methods of Solana phishing attacks, such as inducing token transfers, transferring token account ownership, and deceiving transaction signatures.

Carefully check the transaction details: Before conducting any transaction, carefully review the specific details of the transaction. For transactions involving the use of Durable Nonce or contract interaction, extra caution should be taken.

Using transaction simulation function: Utilize the transaction simulation function provided by the wallet and carefully review the transaction simulation results. However, please note that this is not a foolproof protection measure, as there are cases where the transaction simulation may fail.

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia