Hackers pocketed as much as $155,000 by sneaking a backdoor into a code library used by developers of smart contract apps that work with the cryptocurrency known as Solana.
The supply-chain attack targeted solana-web3.js, a collection of JavaScript code used by developers of decentralized apps for interacting with the Solana blockchain. These “dapps” allow people to sign smart contracts that, in theory, operate autonomously in executing currency trades among two or more parties when certain agreed-upon conditions are met.
The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7. These backdoored versions were available for download during a five-hour window between 3:20 pm UTC and 8:25 pm UTC on Tuesday.
Assume full compromise
“This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly,” stated a message posted to GitHub by Anza, the firm that develops the code library. “This issue should not affect non-custodial wallets, as they generally do not expose private keys during transactions.”
Anza went on to urge all Solana app developers to upgrade to version 1.95.8, which, at the time this post went live on Ars, was the latest available. The company further encouraged developers who suspect they might have been compromised in the attack to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs.
The same message was posted to social media by Solana Labs, a developer that has forked its original client.