Fraud-as-a-Service: New Solana Sewers Identified.
Web3 security firm Blowfish has discovered two new Solana sewers, according to a Feb. 9 analysis shared on X (formerly Twitter).
The drains, known as ‘Aqua' and ‘Vanish', have been suggested to improve the condition of the chain, even after the user's private key has been used to sign a transaction. According to Blowfish, the drains script is available for a fee in marketplaces that offer cheat-as-a-service tools.
The Blowfish team busted a system of drains to copy data and steal money. “On Solana, a dApp can be empowered to issue a transaction. If the dApp onchain program includes a conditional that allows the user to send SOL or flush their account, the drain machine can override that conditional at any time.”
The drains are not paid attention by users at first. The victim signs what appears to be a valid transaction. However, after receiving the signature, the drain temporarily holds the transaction. “Then, in a separate transaction, they override the state of the dApp. Instead, SOL goes from showing up to sending to taking.
There's a whole new breed of cheats, and they're nothing like we've seen before!
Think about it: something that looks secure when you sign it, but suddenly depletes your assets the moment it's chained.
Sounds like a nightmare, doesn't it? pic.twitter.com/VkD4Cbhnh0
— Blowfish (@blowfishxyz) February 9, 2024
Bit-reversal attack is a type of exploit where the attacker changes the value of some bit in the encrypted data to gain control of the system. It allows the attacker to change the encrypted message without knowing the encryption key. By flipping certain bits, an attacker can sometimes change the message in a way that it can be decoded.
A growing number of crypto leaks have targeted the Solana ecosystem. According to Chinalysis, one of the largest online communities dedicated to a Solana wallet drain kit, it had more than 6,000 members as of January. Brian Carter, senior intelligence analyst at Chinalysis, told Cointelegraph in an earlier interview that the most successful divestment tools can target multiple assets in a variety of ways.
The Blowfish team is said to have deployed safeguards to automatically shut down newly discovered drains, and is monitoring activity on the chain.
Magazine: Diffie's Billion Dollar Secret: Insiders Responsible for Hacking