Scam-as-a-service: New Solana drainers identified

Avatar


Web3 security firm Blowfish has detected two new Solana drainers that can perform bit-flip attacks, according to a Feb. 9 analysis shared on X (formerly Twitter). 

The drainers, known as ‘Aqua’ and ‘Vanish,’ were flagged modifying a conditional within on-chain data, even after a user’s private key was used to sign a transaction. According to Blowfish, the drainers’ script is available for a fee in marketplaces offering scam-as-a-service tools.

The Blowfish team broke down the drainers’ method to flip data and steal funds. “On Solana, a dApp can be given authority to submit a transaction. If the dApp’s onchain program includes a conditional that allows it to send the user SOL or drain their account, a drainer could flip that conditional at any time,” reads the analysis.

The drainers go unnoticed by users at first. The victim signs what appears to be a valid transaction. However, after receiving the signature, the drainer temporarily holds on to the transaction. “Then, via a separate transaction, they flip the dApp’s conditional; it goes from appearing to send SOL to taking it instead.”

A bit-flip attack is a form of exploitation where the attacker changes the value of some bits in the encrypted data to manipulate a system. It allows the attacker to modify the encrypted message without knowing the encryption key. By flipping specific bits, an attacker can sometimes change a message in a predictable way once it’s decrypted.

A rising number of crypto drainers has targeted the Solana ecosystem. According to Chainalysis, one of the largest online communities devoted to a single Solana wallet drainer kit had over 6,000 members as of January. Brian Carter, Chainalysis senior intelligence analyst, told Cointelegraph in a previous interview that the most successful draining kits can target many assets in various ways.

The Blowfish team is said to have put defenses in place to automatically block the newly found drainers, and is monitoring on-chain activity.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks