From EVM to Solana: How to avoid phishing scams

Original source: Keystone Chinese

From EVM to Solana: How to avoid phishing scams

Recently, a user posted a post about how he lost millions of RMB in assets on Solana after being phished. According to the description: He accidentally clicked on the link sent by the phishing gang in the reply under the tweet of the Maneki project to enter the website.

What puzzled him was that during the interaction, the website did not seem to require him to do any token authorization operations, and the hacker succeeded directly. When he realized that there might be a problem with the website and tried to transfer the tokens in his wallet to avoid being stolen, he found that many attempts failed and could no longer be transferred.

Due to the limited details provided, we cannot fully reproduce the incident. But what is certain is that the user lost control of the Maneki token account, so the user's attempt to transfer assets in the wallet failed. Users who are used to EVM may be confused, what is this account control?

This is because Solana uses a different implementation method from the EVM chain. If you continue to interact with Solana according to the usage habits on EVM, you will undoubtedly face huge risks if you use the sword of the previous dynasty to kill the officials of the current dynasty.

If you want to have fun on Solana, you must understand the characteristics and fraud methods of Solana. For this reason, we have also sorted out some attacks on Sol that are different from EVM, hoping to help users who don’t know Solana avoid pitfalls.

1. Occupy the magpie’s nest: transfer of token account ownership

The protagonist of our opening case encountered this type of attack. In the Solana wallet, for each token, there will be a separate account (Token Account), similar to the RMB account, US dollar account, etc. in our bank card, which are independent of each other, and each token account will also have an owner attribute.

By default, the owner of the token account will be designated as the current wallet, but this is not hard-coded. The owner of the token account can be changed by calling the createSetAuthorityInstruction operation. Hackers use this operation to trick users into transferring the ownership of a token account in their wallet to their wallet.

Once successful, even if the token is still in the wallet, the user cannot transfer the token out, which is no different from the token being stolen.

Because this operation is very risky, both Phantom and @Backpack_CN wallets will intercept and prompt the risk of the transaction, requiring a second confirmation of the transaction, unless the user insists on forcibly approving the transaction.

2. Solana does not require authorization before trading

On EVM, if the phishing contract wants to transfer the tokens in the victim's wallet, the user needs to authorize the phishing contract on the token contract. Only the authorized phishing contract can initiate a transaction to transfer the user's assets.

On Solana, approve is not authorization but transaction approval. If the user regards this as a token authorization link, once approve, the phishing transaction will be sent out, and it is difficult to save it.

Another more dangerous situation is: assuming that the user is induced to authorize the token on the EVM, only a single token is affected, and other unauthorized tokens will not be stolen. Solana does not require authorization as long as the user approves to transfer tokens. Combined with the third feature to be introduced next, it may cause great losses to users.

3. Be careful of being induced to transfer multiple tokens

Solana's transaction design allows multiple sub-transactions to be added to a transaction, and each sub-transaction can complete an interaction, such as transferring a certain token. Compared with the token transfer on the EVM, each token requires a separate transaction to complete. This feature of Solana provides certain conveniences.

For example, there may be some tokens with a very low value of less than 1u in everyone's wallet. Sol-incinerator uses this feature to allow users to send small tokens in their wallets in batches and exchange them back to SOL, without the need for multiple exchanges that consume a lot of Gas and save operation time.

There are pros and cons. This feature also brings great convenience to hackers. As long as they successfully deceive a user to confirm a transaction, they can rob the tokens, NFTs, and even SOL in the user's wallet. Therefore, if you see a large number of TOKEN transfers in a transaction, be careful whether hackers are using this feature to empty your wallet.

4. Fraudulent transaction signatures

In EVM, permit signatures are popular with phishing gangs because of their concealment and the fact that they do not appear in the wallet of the authorizer. Currently, more than half of phishing attacks are based on them. In the world of Solana, there is also a similar method: Durable Nonce.

The characteristics of Durable Nonce are similar to permits. If a user signs a transaction without knowing it, he will not lose his assets immediately, nor will he see the transaction in his wallet. Instead, the signed transaction information will be sent to the phishing gang, who will then send the transaction to the blockchain. This offline transaction has the same characteristics as permits and is equally dangerous.

Since Solana can simulate transaction results, Durable Nonce is more readable than permit, and users can more easily identify it. Therefore, in order to steal user assets more smoothly, phishing gangs also combine Durable Nonce with contract upgrades, trying to hide the warnings brought to users by transaction simulation.

The phishing website first interacts with the user using a normal contract that does not contain malicious transactions. At this time, the information presented by the transaction simulation function of the wallet does not show any problems.

After the user approves, the phishing gang that gets the user's signature is not in a hurry to broadcast the transaction on the chain, but waits for a while before upgrading the contract to a version containing malicious code, and finally broadcasts the transaction on the chain. The user will suddenly find that the asset is lost, and he has not done anything, because it is possible that the signature was made a few days ago.

This upgraded attack method is extremely hidden and extremely harmful. The current transaction simulation function cannot show the risk for the time being. Therefore, it is still necessary to raise awareness of prevention, and do not rely too much on the reminders of the wallet software and blindly trust the results of transaction simulation.

Conclusion

As you can see, the original design purpose of the above-mentioned features is to lower the user's usage threshold and provide more convenience. I never thought that new technology, like a double-edged sword, also provides phishing gangs with more diverse means of attack.

Just before writing this article, Solana released two new features, Action and Blink. While everyone is imagining these two features, some people have warned that phishing gangs may use the new features to cheat.

Phishing on Solana has the characteristics of one-click operation and high concealment. The transaction simulation function sometimes does not work due to reasons such as RPC instability, so it cannot be completely relied on.

It is recommended that users with conditions can interact with the Keystone hardware wallet, which is equivalent to adding an additional confirmation to avoid rapid confirmation of transactions due to impulse or delay.

In addition, Keystone also parses the transaction on the hardware side. When the software wallet transaction simulation fails, the hardware side can still parse the transaction content, providing the last line of defense.

Blockchain technology is evolving in constant development and change. We are worried about the risks brought by new technologies, but we cannot stop because of this. Phishing gangs are like rats crossing the street, and practitioners including hardware wallets and security companies are constantly iterating solutions for new threats.

As an ordinary user, always remind yourself not to be dazzled by the "free pie", but to carefully check the transaction content. Under such a security awareness, phishing will be difficult to succeed.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群： https://t.me/theblockbeats

Telegram 交流群： https://t.me/BlockBeats_App

Twitter 官方账号： https://twitter.com/BlockBeatsAsia