December 4, 2024 at 12:33PM
The Solana JavaScript SDK was compromised in a supply chain attack, enabling the theft of cryptocurrency private keys through malicious code in versions 1.95.6 and 1.95.7 of the library. Developers are urged to update to version 1.95.8 and rotate keys to safeguard their assets. Stolen assets are valued at approximately $184,000.
### Meeting Takeaways:
1. **Compromise of Solana SDK**: The Solana JavaScript SDK, specifically the @solana/web3.js library versions 1.95.6 and 1.95.7, was compromised in a supply chain attack, allowing attackers to inject malicious code designed to steal cryptocurrency private keys.
2. **Nature of the Attack**: According to the supply chain security firm Socket, the injected code targeted developers and users by modifying library functions to exfiltrate private key information, enabling attackers to drain cryptocurrency wallets directly.
3. **Details of the Vulnerability**:
– Malicious code added an `addToQueue` function that was embedded in five key locations of the library.
– Functions affected include:
– `fromSecretKey()`
– `fromSeed()`
– `createInstructionWithPublicKey()`
– `createInstructionWithPrivateKey()`
– The account constructor.
– Malicious data sent to the attacker’s server at **https://sol-rpc[.]xyz/api/rpc/queue**.
4. **Temporal Window of Compromise**: The attack affected projects that updated the SDK between 3:20 PM UTC and 8:25 PM UTC on Tuesday, December 2, 2024.
5. **Immediate Actions Recommended**:
– Developers who suspect they were compromised should immediately upgrade to version 1.95.8 of the library.
– It is critical to rotate any keys, including multisigs, program authorities, and server keypairs.
6. **Affected Assets**: The compromise has led to an estimated loss of **$184,000** in cryptocurrency, with various tokens involved.
7. **Advice for Users**: Users whose wallets were compromised should transfer their remaining funds to a new wallet and stop using the old wallet, as private keys are no longer secure.
8. **Solana’s Confirmation**: Solana acknowledged the breach and clarified that it was an issue with a specific JavaScript client library, not the Solana protocol itself, emphasizing that non-custodial wallets were not affected.