Hackers made off with $155,000 by sneaking a backdoor into a code library used by developers of smart contract apps that run on a cryptocurrency known as Solana.
The supply chain attack targeted solana-web3.js, a collection of JavaScript code used by decentralized app developers to interact with the Solana blockchain. These “dapps” allow people to sign smart contracts, which, in theory, give them autonomy in executing currency transactions between two or more parties if certain agreed upon conditions are met. works.
The backdoor was introduced in the form of code that harvested private keys and wallet addresses when solana-web3.js versions 1.95.6 and 1.95.7 were included in apps that directly handle private keys. These backdoor versions were available for download during a five-hour period from 3:20 PM UTC to 8:25 PM UTC on Tuesday.
Assume complete compromise
A message posted by Anza on GitHub states: “This allows attackers to publish modified, unapproved malicious packages, steal private key material, and use bots and other tools that directly handle private keys. It has become possible for funds to flow out of DAPP.” Develop code libraries. βNon-custodial wallets typically do not expose private keys during transactions, so this issue should not affect them.β
Anza also urged all Solana app developers to upgrade to version 1.95.8. Version 1.95.8 was the latest version available at the time this post was published on Ars. The company also encouraged developers who suspect they may have been compromised in the attack to rotate suspicious permission keys, including multisig, programmatic permissions, and server key pairs.
The same message was posted on social media by Solana Labs, the developer who forked the original client.
