“Security Compromise in Well-Known Code Repository Results in Approximately $155K Stolen from Digital Wallets”
### Solana-web3.js Library Compromise: A Supply-Chain Breach Depletes User Wallets
In a troubling turn of events for the cryptocurrency landscape, a vulnerability within the **Solana-web3.js** library was exploited by hackers. This widely-used JavaScript codebase aids developers in creating decentralized applications (dApps) on the Solana blockchain. The supply-chain attack allowed malicious actors to capture private keys, leading to the draining of user wallets, with the estimated loss being **$155,000 in Solana (SOL)** tokens.
—
### **The Breach: What Transpired?**
The incident unfolded when attackers succeeded in injecting a backdoor into select versions of the **solana-web3.js** library—specifically, versions **1.95.6** and **1.95.7**. These compromised releases remained available for download for a crucial **five-hour period** on November 22, 2023, from **3:20 PM UTC to 8:25 PM UTC**.
The backdoor was structured to capture **private keys** and **wallet addresses** from applications that interacted with sensitive private key data. The acquired information was then used to extract funds from the compromised wallets. The illicitly obtained cryptocurrency was funneled to a wallet address under the control of the attackers, which is reported to have received **674.8 SOL** during the incident.
—
### **Mechanics of the Backdoor**
Investigations by security experts into the breach uncovered the following aspects of the malicious code:
1. **Insertion of Malicious Functions**:
– Attackers incorporated a function titled `addToQueue` into the library, intended to exfiltrate private keys from applications utilizing them.
– Strategic calls to this function were embedded in areas of the code interacting with private keys, ensuring the backdoor activated whenever sensitive key data was accessed.
2. **Command and Control Infrastructure**:
– Compromised data was dispatched to a domain called **sol-rpc[.]xyz**, serving as the command-and-control (C2) server for the perpetrators. This domain was registered on November 22, just prior to the attack, and was initially sheltered behind Cloudflare’s content delivery system.
3. **Targeted Applications**:
– The breach predominantly impacted **dApps** and **bots** directly managing private keys, while non-custodial wallets, which generally do not disclose private keys during transactions, reportedly remained unaffected.
—
### **Consequences for Developers and Users**
The breach has yielded far-reaching effects for both developers and users within the Solana ecosystem:
– **Monetary Damage**:
– Approximately **$155,000 worth of SOL tokens** was stolen, with individual user losses ranging from **$20,000** to amounts not publicly disclosed.
– **Compromised Systems**:
– The GitHub Advisory Database provided a serious warning, asserting that any system using the affected versions of **solana-web3.js** should be deemed **fully compromised**. Developers are advised to change all keys and secrets on impacted systems.
– **Reputational Harm**:
– The incident has precipitated worries concerning the security of open-source libraries and the larger repercussions of supply-chain attacks in the cryptocurrency domain.
—
### **Actions Taken and Mitigation Strategies**
Following the attack, several measures have been initiated to remedy the breach and alleviate its repercussions:
1. **Updated Version Release**:
– The maintainers of **solana-web3.js** launched an updated version, **1.95.8**, which eliminates the malicious code. Developers are highly encouraged to upgrade to this latest version without delay.
2. **Key Replacement**:
– Developers who suspect their applications to have been compromised should **rotate all authority keys**, including:
– Multisignature (multisig) keys
– Program authorities
– Server keypairs
3. **Public Warnings**:
– Solana Labs and several stakeholders have disseminated public advisories through social media and developer forums, stressing the need to upgrade to the patched version and adopt preventive measures.
4. **Malicious Domain Shutdown**:
– The rogue domain **sol-rpc