From EVM to Solana: How to Avoid Phishing Scams

Recently, a user posted a post about how he lost millions of RMB in assets due to phishing on Solana. According to the description: He accidentally clicked on the link sent by the phishing gang in the reply under the tweet of the Maneki project and entered the website.

What puzzled him was that during the interaction, the website did not seem to require him to do any token authorization operations, and the hacker succeeded directly. When he realized that there might be something wrong with the website and tried to transfer the tokens in his wallet to avoid being stolen, he found that the transaction failed after many attempts and could no longer be transferred out.

Due to the limited details provided, we are unable to fully reconstruct the incident. However, we can be sure that the user lost control of the Maneki token account, which is why the user's attempt to transfer assets from the wallet failed. Users who are used to EVM may be confused about what this account control is.

This is because Solana uses an implementation method that is different from the EVM chain. If you continue to interact with Solana according to the usage habits on EVM, you will undoubtedly face huge risks if you use the sword of the previous dynasty to kill the officials of the current dynasty.

If you want to have fun on Solana, you must understand the characteristics and fraudulent methods of Solana. For this reason, we have also sorted out some attack methods on Sol that are different from EVM, hoping to help users who are not familiar with Solana avoid pitfalls.

1. Occupation: Transfer of ownership of token accounts

The protagonist of our opening case encountered this type of attack. In the Solana wallet, for each token, there will be a separate account (Token Account), similar to the RMB account, USD account, etc. in our bank card, which are independent of each other, and each token account will also have an owner attribute.

By default, the owner of the token account will be designated as the current wallet, but this is not hard-coded. The owner of the token account can be changed by calling the createSetAuthorityInstruction operation. Hackers took advantage of this operation to trick users into transferring the ownership of a token account in their wallet to their wallet.

Once successful, even if the tokens are still in the wallet, the user cannot transfer them out, which is no different from the tokens being stolen.

Since this operation is very risky, both Phantom and @Backpack_CN wallets will intercept and prompt the risk of the transaction, requiring a second confirmation of the transaction, unless the user insists on forcibly approving the transaction.

2. No authorization is required before trading on Solana

On the EVM, if a phishing contract wants to transfer tokens from the victim's wallet, the user needs to authorize the phishing contract on the token contract. Only the authorized phishing contract can initiate a transaction to transfer the user's assets.

On Solana, approve is not authorization but transaction approval. If the user regards this as a token authorization link, once approve is given, the phishing transaction will be sent out and there will be little room for recovery.

There is another more dangerous situation: suppose the user is induced to authorize the token on the EVM, then only a single token is affected, and other unauthorized tokens will not be stolen. However, Solana can transfer tokens without authorization as long as the user approves. Combined with the third feature to be introduced next, it may cause great losses to users.

3. Beware of being tricked into transferring multiple tokens

Solana's transaction design allows multiple sub-transactions to be added to a transaction, and each sub-transaction can complete an interaction, such as transferring a certain token. Compared to token transfers on the EVM, each token requires a separate transaction to complete. This feature of Solana provides certain conveniences.

For example, there may be some tokens with very low value of less than 1u in your wallet. Sol-incinerator takes advantage of this feature to allow users to send small tokens in their wallets in batches and exchange them back to SOL without the need for multiple exchanges that consume a lot of Gas and save operation time.

There are pros and cons. This feature also brings great convenience to hackers. As long as they successfully deceive a user to confirm a transaction, they can rob all the tokens, NFTs and even SOL in the user's wallet. Therefore, if you see a transaction containing a large number of TOKEN transfers, be careful whether hackers are using this feature to empty your wallet.

4. Fraudulent transaction signatures

In EVM, the permit signature is very popular among phishing gangs due to its concealment and its non-appearance in the authorized person's wallet. Currently, more than half of the phishing attacks are carried out by it. In the world of Solana, there is also a similar method: Durable Nonce.

The characteristics of Durable Nonce are similar to those of permit. If a user signs a transaction without knowing it, he or she will not lose the assets immediately, nor will he or she see the transaction in his or her wallet. Instead, the signed transaction information will be sent to the phishing gang, who will then send the transaction to the blockchain. This offline transaction has the same characteristics as permit and is equally dangerous.

Since Solana can simulate transaction results, Durable Nonce is more readable than permit and easier for users to identify. Therefore, in order to steal user assets more smoothly, phishing gangs also combine Durable Nonce with contract upgrades, trying to avoid warnings from transaction simulations.

The phishing website first uses a normal contract that does not contain malicious transactions to interact with the user. At this time, the information presented by the wallet's transaction simulation function does not show any problems.

After the user approves, the phishing gang that has obtained the user's signature is not in a hurry to broadcast the transaction on the chain. Instead, they wait for a while and then upgrade the contract to a version containing malicious code. Finally, the transaction is broadcast on the chain. The user will suddenly find that his assets are lost without him having taken any action, because it is possible that the signature was made a few days ago.

This upgraded attack method is extremely covert and harmful, and the current transaction simulation function cannot show the risk for the time being. Therefore, we still need to raise awareness of prevention and not rely too much on the reminders of wallet software and blindly trust the results of transaction simulation.

Conclusion

It can be seen that the initial design purpose of the above-mentioned features is to lower the user's usage threshold and provide more convenience. Unexpectedly, new technologies, like double-edged swords, also provide phishing gangs with more diverse attack methods.

Just before writing this article, Solana released two new features, Action and Blink. While everyone was fantasizing about these two features, some people also warned that phishing gangs might use the new features to commit fraud.

Phishing on Solana has the characteristics of one-click operation and high concealment. The transaction simulation function sometimes does not work due to reasons such as RPC instability, so it cannot be fully relied upon.

It is recommended that users who have the conditions can interact with the Keystone hardware wallet, which is equivalent to adding an extra confirmation to avoid quick confirmation of transactions due to impulse or delay.

In addition, Keystone also parses transactions on the hardware side. When the software wallet transaction simulation fails, the hardware side can still parse the transaction content, providing the last line of defense.

Blockchain technology is evolving in constant development and change. We are concerned about the risks brought by new technologies, but we cannot stop there. Phishing gangs are like rats crossing the street, and everyone wants to kill them. Practitioners including hardware wallets and security companies are also constantly iterating solutions to new threats.

As an ordinary user, always remind yourself not to be dazzled by the "free pie", but to carefully check the transaction content. With such security awareness, phishing will be difficult to succeed.