- Solana wallet drainers utilize bit-flip attacks to change transaction data after signing, allowing theft of users’ funds.
- Two new drainers, Aqua and Vanish, are being sold on scam-as-a-service sites and target Solana dApps.
- Solana faces increasing draining attacks, with some exploit kits having thousands of members. Users should only interact with trusted sources.
Web3 security firm Blowfish has identified two new Solana wallet drainers that can steal users’ funds through bit-flip attacks, according to Web3 security firm Blowfish. These tools are being offered for sale on scam-as-a-service marketplaces.
How the Drainers Work
The drainers, named Aqua and Vanish, work by modifying a conditional statement within a transaction’s on-chain data, even after the transaction has been signed by the user with their private key.
Specifically, the drainers target decentralized apps (dApps) that have been granted authority to submit transactions on the user’s behalf. If the dApp’s on-chain program contains a conditional that checks if funds should be sent to the user or drained from their account, the drainer can flip that conditional at any time after the transaction is signed.
This allows the drainer to temporarily hold the transaction, then submit it later with the conditional flipped to drain funds instead of sending them. The user is unaware of the change since their valid signature is still applied.
The Bit-Flip Attack
The drainers utilize a bit-flip attack, which changes the value of some bits in the encrypted data to manipulate the system. The drainer can modify the transaction without knowing the encryption key. Flipping specific bits in a predictable way allows the data to be decrypted differently than the user intended.
Drainers Targeting Solana on the Rise
Solana has faced an increasing number of crypto-draining attacks recently. Per Chainalysis, one online community devoted to a Solana wallet drainer kit had over 6,000 members as of January. The most successful kits can target assets in various ways.
Blowfish has implemented automatic defenses against the newly identified drainers and is monitoring the blockchain for further exploits. Users should be vigilant about only approving transactions from trusted sources on Solana and other chains vulnerable to bit-flip attacks.
