SlowMist: Beware of Solana Wallet Owner Authority Tampering Attack

By: theblockbeats.news|2025/12/03 19:45:54

BlockBeats News, December 3rd. SlowMist Security Team released a security advisory regarding a recent phishing attack incident. A user fell victim to a phishing attack, resulting in the transfer of the account's Owner permission. The user attempted to revoke the authorization but was unable to do so. The user's assets worth over $3 million were stolen, with an additional $2 million worth of assets stored in a DeFi protocol that could not be transferred (currently, this part of the assets worth around $2 million has been successfully rescued with the assistance of the related DeFi protocol). This attack was not the traditional "authorization theft" but rather a replacement of the core permission (Owner permission) by the attacker, rendering the victim unable to transfer funds, revoke authorization, or operate DeFi assets despite the funds "appearing normal" but being beyond their control.

The attacker exploited two counterintuitive scenarios to successfully deceive the user into clicking:

1. Usually, when signing a transaction, the wallet would simulate the execution result of the transaction. If there were any fund changes, it would be displayed on the user interface. However, the attacker's carefully crafted transaction showed no fund changes;

2. In the traditional Ethereum EOA account, the ownership is controlled by the private key. Users subjectively were unaware that Solana has a feature that can modify account ownership.

SlowMist reminds users to be vigilant when authorizing signatures and to confirm whether there are hidden operations such as modifying high-risk permissions like Owner in them.

-- Price

AI has become critical infrastructure, and governments and corporations are competing to control it. Centralized development and regulation are entrenching existing power structures. The Web3 community is building a decentralized alternative — distributed compute, token incentives, and community governance — before that window closes.

Vitalik wrote a proposal teaching you how to secretly use AI large models

Vitalik believes that in the AI era, users should not have to give up their identity to use an AI tool.

On the eve of the explosion of on-chain options

Options are becoming a new anchor in the cryptocurrency market.

WEEX AI Hackathon: How Did This AI Trading Winner Succeed?

A self-taught AI trading enthusiast achieved top-10 results at the WEEX AI Hackathon. Learn about the mindset, AI tools, and lessons behind this impressive performance.

One Balance to Rule Them All: Gravitas' On-Chain Prime Broker Ambition

Forty years ago, a technological revolution broke the isolation of information, reshaping Wall Street. Forty years later, Grvt aims to break the isolation of capital with an on-chain prime brokerage model.

That person who cashed out at the NFT peak is now selling a new shovel in the OpenClaw craze

A skilled person never picks the table, they eat meat with every bite.

Inter-generational Prisoner's Dilemma Resolution: The Nomadic Capital and Bitcoin's Inevitable Path

When the Baby Boomer generation collectively sells off, who will be the "bag holder" in the next asset crash?

Upstream and downstream are starting to fight, all for the sake of everyone being able to "Lobster"

「Lobster」 may not be a mature product yet, but it has already ushered in a new era of 「AI Assistants」.

Circle and Mastercard Announce Partnership, the Next Stage for the Crypto Industry Belongs to Payments

Stablecoins are transitioning from a speculative tool to real financial scenarios such as payments, cross-border transfers, and store of value.

From 5 Mao per kWh of Chinese electricity to a $45 API export: Tokens are rewriting currency units

When the same unit can both measure hashing power and facilitate payments, it ceases to be just a term and begins to evolve into a new currency of both value and influence.