Solana Owner Authority Attack Analysis and Prevention Strategies

Article Summary

• Explaining the background of Solana account owner authority modification attacks.
• Analyzing the mechanics of the attack and exploiting vulnerabilities.
• Detailed display of the stolen funds' path through the blockchain.
• Providing practical strategies for preventing phishing and fraud attacks.
• Emphasizing the importance of caution and verification before signing any transactions.

Introduction

Recently, we received a request for help from a user who experienced a phishing attack that day. The user discovered abnormal authorization records in their wallet, tried to revoke the authorization but was unable to do so, and provided the affected wallet address 9w2e3kpt5XUQXLdGb51nRWZoh4JFs6FL7TdEYsvKq6Wb. Through on-chain analysis, we found that the user's account owner authority had been transferred to address GKJBELftW5Rjg24wP88NRaKGsEBtrPLgMiv3DhbJwbzQ. In addition, the user's assets worth over $3 million USD were stolen, while other assets worth approximately $2 million USD were stored in a DeFi protocol but could not be transferred (currently, the portion of assets worth approximately $2 million USD has been successfully rescued with the assistance of the relevant DeFi). The victim attempted to initiate a transfer from this account to their own address to verify permissions, but all transactions failed. This situation is highly similar to the "malicious multi-signature" attacks that frequently occur in the TRON ecosystem. In other words, this attack is not a traditional "authorization theft," but the core authority (owner authority) has been replaced by the attacker, resulting in the victim being unable to transfer, revoke authorization, or operate DeFi assets, even if they wanted to. The funds are "visible," but they cannot be controlled.

Solana Owner Modification Mechanism

The attackers exploited two counter-intuitive scenarios to successfully trick users into clicking:

1. Usually, when signing a transaction, the wallet simulates the execution results of the transaction, and if there is any change in funds, it will be displayed on the interaction interface, while the carefully constructed transaction by the attacker has no change in funds.
2. The traditional Ethereum EOA account is controlled by the private key, and it is not subjectively clear that Solana has a property that can modify account ownership.

Let's analyze what kind of operation Solana Owner modification is. Account ownership is usually the system account (11111111111111111111111111111111) when we create an account with a wallet, and in transactions, the system needs to verify whether the transaction signature is signed by the corresponding public key. You can use the Solana Account command to view the basic information of the account: There is also an account called a PDA account, which is an account derived from a smart contract and is mainly used to store smart contract data. Its owner is the smart contract that derived it. For example, the account used to store token issuance and holding information is a type of PDA account. When you use Solana Account to view the basic information of the account, you can see that its owner is the Token smart contract TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA: Both of these types of accounts can modify the owner, but there are different rules and restrictions: ordinary accounts cannot be directly modified from the outside through commands or scripts, but they can be modified through smart contract calls. The key command is: The assign command changes the owner of the account from the current value to new_owner. After deploying the program, use Solana CLI or a client (such as Solana Web3.js) to call this command. This phishing incident used this property to lure the victim into proactively signing a transaction containing the assign command, thereby silently completing the transfer of the victim's wallet address owner. Simply put, a PDA account can modify the owner, but it requires that the account data be empty. Similarly, it is executed through the assign command. We simply tested the responses of modifying the owner in several scenarios:

1. A newly created PDA account can arbitrarily assign an owner. If the owner is not the program that created it, then the program has no write permissions.
2. When a created PDA account tries to modify the owner, it reports an error: instruction illegally modified the program id of an account.
3. Trying to write data before the final assign of a PDA: instruction modified data of an account it does not own.

After the account owner is modified, the user loses control of the account, and the attacker can transfer the account assets through CPI calls. There is also a common change in ownership, which is the ownership of a token account. This is essentially ownership controlled by logic within a smart contract, not by the underlying logic of Solana, but it is also often used in phishing attacks. Users should be aware of this type of phishing attack method.

MistTrack Analysis

According to the tracking and anti-money laundering tool MistTrack, the victim's address 9w2e3kpt5XUQXLdGb51nRWZoh4JFs6FL7TdEYsvKq6Wb was analyzed. The money transfer path of this attack is complex, and the attackers mainly use two core addresses for assets: BaBcXDg... BaBcXDg... Flow 1: BaBcXDgbPgn85XtEQK7TZV8kZuFpT4iWVAs4QJoyNSmd The first main path involves equivalent assets of approximately $2.38 million USD, and the core feature is "multi-level diffusion + decentralized CEX deposit + multi-address transfer." The attacker converts the multiple tokens received (including PAYAI, CASH, CARDS, JitoSOL, POLYFACTS, PUMP, PYUSD, CAP) into SOL through this address. Among them, PUMP is transferred to 7E4eNkK... and then converted to SOL. The converted SOL mainly flows as follows:

1. 717.5 SOL is transferred to YDrMfsB..., some SOL is transferred to the Binance platform, and the remaining funds are scattered and remain in about 4 transfer addresses.
2. 7,556.89 SOL + 2,218 SOL (from PUMP conversion) are uniformly aggregated to 7E4eNkK..., then some SOL is transferred to the Letsexchange platform, 5,050.93 SOL is transferred to FyB2jDJbTdmW..., and the remaining funds are scattered and remain in about 13 addresses.
3. 2,161.88 SOL + the above 5,050.93 SOL are further scattered in FyB2jD..., and are transferred to multiple platforms (HTX, Binance, Kucoin, ChangeNOW, Changelly), and a portion of them flow into an unknown address (25nULbv), and the remaining funds are scattered and remain in about 25 addresses.
4. 2,053 SOL is transferred to 6qdtH5D..., some SOL is transferred to the Letsexchange platform, and the remaining funds are scattered and remain in about 15 transfer addresses.
5. 20 SOL is transferred to 5rJdvkp..., then transferred and remains in the address 2etvjZH....
6. 2,142 SOL is transferred to 2xFzAda..., 352 SOL is transferred to the Binance platform, 200 SOL is transferred to the Letsexchange platform, and the remaining funds are scattered and remain in about 11 transfer addresses.

Flow 2: 7pSj1RxHf77G3XeisvnNAtbyx5AFjYPcChswWhZe9bM8 The second main path involves equivalent assets of approximately $790,000 USD, and the core feature is "cross-chain and multi-chain cycle exchange." The attacker also converts the multiple tokens received into SOL, where JitoSOL, PUMP, and POLYFACTS account for a large proportion. The converted SOL mainly flows as follows: 5,742 SOL is transferred to FiywJZ2Z..., and this address also receives 2772.8 SOL from other phishing event addresses that have been marked as "Phishing" by MistTrack. Among them, the attacker converts 8,579.92 SOL to ETH via Relay.link and crosses it to Arbitrum address 0xDCFa6f..., then converts the funds to SOL via 1inch and crosses it to multiple Solana addresses, and then uses 1inch for repeated crossing, we will not go into details here. FiywJZ2Z... transfers the remaining 215.89 SOL to Ah5Rs916..., and then converts it to 29,875 USDC. USDC is converted to DAI via Relay.link with values of 5000, 5000, 5000, 5000, and 19,875.38 and crossed to Base and Ethereum addresses 0xd2c1c2A..., where two payments of 5000 USDC were returned, and have been returned currently. USDAIDC has not been transferred currently, USDAIDC has not been transferred currently, USDAIDC has not been transferred currently.

DeFi Asset Rescue

In addition, the victim's remaining assets in DeFi were successfully extracted with the help of multiple parties, and transferred through address fgR5PJF..., including approximately 2.17 million PYUSD and 4548 USDC: This flow of funds clearly shows the attacker's behavior pattern: rapid scattering, multi-address transfer, multi-platform mixing, cross-chain rotation, CEX deposit and DeFi asset reuse are carried out at the same time, building a multi-level and cross-ecosystem money laundering network, which greatly increases the difficulty of tracking. MistTrack has currently marked all related addresses.

How to Prevent Similar Attacks?

For ordinary users, this type of attack is essentially a "phishing attack." Attackers will use various methods to package links, such as airdrops, rewards, tasks, pre-testing qualifications, and even pretending to be official announcements, making people think it is just a simple operation, but the pop-up signature actually hides high-risk permissions such as modifying the owner. Once signed, the wallet is basically taken over. Therefore, the most important prevention method is to think twice before clicking on links and clicking on "sign": Is the source trustworthy? Is this page official? What exactly is this signature doing? If the content that pops up from the wallet is completely incomprehensible, or if some strange permissions, unfamiliar addresses, or places that need to be authorized inexplicably suddenly appear, you must stop and do not forcibly click "confirm." In normal times, also try not to use a wallet with large assets to interact everywhere. You can specially prepare a small account "with a low balance, only used for interaction" to do tasks, play projects, and receive airdrops, and put the truly important assets in a separate wallet or even a cold wallet, so even if you sign by mistake, you can minimize the losses. In addition, try to reduce granting "unlimited authorization," and restrict the scope and restrict the amount if you can, reducing the space that attackers can abuse in the long run. In short, look more, verify again, do not click randomly, do not sign randomly, and leave yourself a layer of protection. Store large assets separately, the small account is responsible for interaction, and the large account is only responsible for safekeeping. Stop immediately if you encounter any abnormality, and do not hold a lucky mentality. As long as you do this, the risk of being attacked by this type of phishing can be greatly reduced. Finally, it is highly recommended to read "Blockchain Dark Forest Self-Rescue Handbook" (https://darkhandbook.io/).