Hackers Pocket $155,000 by Injecting Backdoor into Solana Code Library
Supply-Chain Attack
Hackers have made off with as much as $155,000 by sneaking a backdoor into a code library used by developers of smart contract apps that work with the cryptocurrency known as Solana.
Target: Solana-web3.js
The supply-chain attack targeted solana-web3.js, a collection of JavaScript code used by developers of decentralized apps (dapps) for interacting with the Solana blockchain. These dapps allow people to sign smart contracts that operate autonomously in executing currency trades among two or more parties when certain agreed-upon conditions are met.
Backdoored Code
The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7. These backdoored versions were available for download during a five-hour window between 3:20 pm UTC and 8:25 pm UTC on Tuesday.
Assume Full Compromise
"This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly," stated a message posted to GitHub by Anza, the firm that develops the code library. "This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions."
Recommendations
Anza urged all Solana app developers to upgrade to version 1.95.8, which at the time this post went live on Ars, was the latest available. The company further encouraged developers who suspect they might have been compromised in the attack to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs.
Solana Labs Statement
The same message was posted to social media by Solana Labs, a developer that has forked its original client.
Conclusion
The attack highlights the importance of vigilance in software development and the potential consequences of supply-chain attacks. Developers must ensure that they keep their software up to date and monitor their code for any suspicious activity to prevent such attacks in the future.
FAQs
Q: What is a supply-chain attack?
A: A supply-chain attack occurs when an attacker injects malicious code into a software library or framework used by multiple applications, allowing them to compromise multiple systems at once.
Q: What is solana-web3.js?
A: solana-web3.js is a collection of JavaScript code used by developers of decentralized apps for interacting with the Solana blockchain.
Q: How much money was stolen in the attack?
A: Hackers made off with as much as $155,000.
Q: What should I do if I suspect I have been compromised in the attack?
A: Rotate any suspect authority keys, including multisigs, program authorities, and server keypairs, and upgrade to the latest version of solana-web3.js.
