慢雾：警惕Solana钱包Owner权限篡改攻击

On December 3, the SlowMist security team issued a security alert case: a user recently fell victim to a phishing attack, resulting in the transfer of their account Owner permissions. The user attempted to revoke authorizations but was unable to do so. Over $3 million worth of assets had already been stolen from the user, and an additional $2 million worth of assets were locked in DeFi protocols and could not be transferred (as of now, with the assistance of the relevant DeFi teams, the $2 million in assets have been successfully recovered). This attack was not a traditional “authorization theft,” but rather the attacker replaced the core permissions (Owner permissions), which prevented the victim from transferring funds, revoking authorizations, or operating DeFi assets—the funds “appear normal” but are no longer controllable. The attacker successfully lured the user into clicking by leveraging two counterintuitive scenarios: 1) When signing a transaction, wallets typically simulate and display the transaction outcome, including any fund changes, but the attacker’s carefully crafted transaction showed no change in funds; 2) Traditionally, Ethereum EOA accounts are controlled by private keys, so users may not realize that Solana accounts have features allowing ownership changes. SlowMist reminds users to be vigilant when authorizing signatures and to confirm whether operations such as modifying Owner or other high-risk permissions are hidden within the transaction.