How to Avoid Phishing Scams from EVM to Solana?

7/25/2024, 5:27:11 AM
Intermediate
Security
This article describes a case of a user losing assets due to a phishing scam on Solana. It explains the differences between Solana and EVM chains and their unique fraudulent tactics, such as token account ownership transfer, no need for pre-authorization, allowing multiple token transfers in a single transaction, and using Durable Nonce for fraud.

Recently, a user posted about losing millions of RMB in assets due to a phishing scam on Solana. According to the description, he mistakenly clicked on a link posted by a phishing group under a tweet from the Maneki project, leading him to a fraudulent website.

What puzzled him was that during the interaction, the website did not seem to require any token authorization operation, and the hacker succeeded in stealing the assets directly. When he realized there might be an issue with the website and attempted to transfer tokens from his wallet to avoid theft, he found that multiple attempts to transfer failed, and he could no longer withdraw his assets.

Due to the limited details provided, we cannot fully bring back the incident scene. However, it is clear that the user lost control of the Maneki token account, which is why the attempts to transfer assets from his wallet failed. Users accustomed to EVM might be confused about what account control means.

This is because Solana uses an implementation different from the EVM chain. Continuing to interact with Solana using the habits from EVM is like using an outdated sword to fight a modern battle, inevitably leading to significant risks.

To enjoy playing on Solana, it is essential to understand Solana’s characteristics and fraudulent tactics. For this reason, we have compiled some of the attack methods on Solana that differ from those on EVM, hoping to help users unfamiliar with Solana avoid pitfalls.

1. Cuckoo in the Nest: Token Account Ownership Transfer

The protagonist of our opening case encountered this type of attack. In a Solana wallet, each token has a separate account (Token Account), similar to how a bank account may have separate accounts for different currencies like RMB and USD, which are independent of each other. Each token account also has an ownership attribute.

By default, the owner of a token account is designated as the current wallet. However, this is not hard-coded. By calling the createSetAuthorityInstruction operation, the ownership of the token account can be changed. Hackers use this operation to trick users into transferring the ownership of a token account from their wallet to the hacker’s wallet.

Once successful, even though the tokens are still in the wallet, the user cannot transfer them out, which is essentially the same as having the tokens stolen.

Due to the high risk of this operation, both Phantom and @Backpack_CN wallets intercept and warn users of the transaction’s risks, requiring a second confirmation for the transaction, unless the user insists on approving it.

2. No Pre-authorization Required for Transactions on Solana

On EVM, a phishing contract needs the user to authorize the contract on the token contract before it can transfer tokens from the user’s wallet. The phishing contract can only initiate the transaction to transfer the user’s assets after receiving authorization.

However, on Solana, “approve” doesn’t mean authorization but rather transaction approval. If the user mistakenly treats this as the authorization step and approves it, the phishing transaction is sent out, leaving little chance for recovery.

A more dangerous situation is if the user is tricked into authorizing tokens on EVM, only the authorized token is affected, and other unauthorized tokens remain safe. On Solana, since no authorization is required and only user approval is needed to transfer tokens, combined with the third point we’ll discuss next, it could result in significant losses for the user.

3. Beware of Being Induced to Transfer Multiple Tokens

Solana’s transaction design allows multiple sub-transactions to be included in a single transaction, with each sub-transaction completing an interaction, such as transferring a specific token. Compared to EVM, where transferring each token requires a separate transaction, this feature of Solana provides some convenience.

For example, your wallet might contain some tokens with very low value, less than 1 USD. Sol-incinerator utilizes this feature to allow users to batch send small-value tokens from their wallet and convert them back to SOL without needing multiple conversions, which would consume a lot of gas and save operational time.

While this feature provides convenience, it also greatly facilitates hacking activities. If a hacker successfully tricks a user into confirming a transaction, they can drain the user’s wallet of tokens, NFTs, and even SOL. Therefore, if you see a transaction involving the transfer of many tokens, be cautious as it might be a hacker attempting to empty your wallet using this feature.

4. Stealing Transaction Signatures

In the EVM ecosystem, permit signatures are favored by phishing groups due to their stealthiness and the fact that they do not appear in the authorizer’s wallet. Currently, more than half of phishing attacks use this method. In the Solana world, there is a similar method: Durable Nonce.

Durable Nonce functions similarly to permit. If a user unknowingly signs a transaction, they will not immediately lose assets or see this transaction in their wallet. Instead, the signed transaction information is sent to the phishing group, who then submit the transaction to the blockchain. This offline transaction characteristic is just as dangerous as permit.

Since Solana can simulate transaction results, Durable Nonce is more readable than permit, making it easier for users to identify. However, phishing groups have combined Durable Nonce with contract upgrades to more effectively steal assets while bypassing transaction simulation warnings.

Phishing websites first interact with users using normal contracts without malicious transactions. The wallet’s transaction simulation feature shows no issues at this stage. Once the user approves the transaction, the phishing group does not immediately broadcast it to the blockchain. Instead, they wait and later upgrade the contract to a version with malicious code before broadcasting it. The user will then suddenly find their assets missing, often days after they signed the transaction.

This upgraded attack method is extremely stealthy and harmful. Current transaction simulation functions cannot display this risk. Therefore, it is crucial to maintain high vigilance and not rely too heavily on wallet software warnings or blindly trust transaction simulation results.

Conclusion

The original design purpose of these features was to lower user barriers and provide more convenience. However, like a double-edged sword, new technologies have also provided phishing groups with a wider range of attack methods.

Just before writing this article, Solana released two new features: Action and Blink. While there is much anticipation around these features, some have also warned about the potential for phishing groups to exploit them.

Phishing on Solana is characterized by one-click operations and high stealth. Due to rpc instability and other reasons, transaction simulation functions may not always work, so they cannot be fully relied upon.

It is recommended for users with the means to use a Keystone hardware wallet for interactions. This adds an extra layer of confirmation, preventing quick confirmation transactions caused by impulse or misclicks.

Additionally, Keystone parses transactions on the hardware end. In cases where software wallet transaction simulations fail, the hardware can still parse the transaction content, providing the last line of defense.

Blockchain technology is constantly evolving and transforming. While we worry about the risks associated with new technologies, we cannot afford to stop progressing. Phishing groups are like pests that everyone wants to eliminate, and professionals, including hardware wallet manufacturers and security companies, are continuously developing solutions to counter new threats.

As ordinary users, it is essential to remind ourselves not to be lured by “free gifts” but to scrutinize transaction details carefully. With this level of security awareness, phishing attempts are much less likely to succeed.

Disclaimer:

  1. This article is reprinted from [Keystone]. All copyrights belong to the original author [Keystone]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
  2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
  3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.

Share

Crypto Calendar
Tokenların Kilidini Aç
Grass, 28 Ekim'de mevcut dolaşım arzının yaklaşık %74,21'ini oluşturan 181.000.000 GRASS tokeni açığa çıkaracak.
GRASS
-5.91%
2025-10-27
Ana Ağ v.2.0 Lansmanı
DuckChain Token, Ekim ayında ana ağ v.2.0'ı başlatacak.
DUCK
-8.39%
2025-10-27
StVaults Lansmanı
Lido, Lido v.3.0 güncellemesinin bir parçası olarak stVaults'ın Ekim ayında ana ağda kullanılmaya başlayacağını duyurdu. Bu arada, kullanıcılar testnet'te özellikleri keşfedebilirler. Yayın, yeni modüler kasa mimarisi aracılığıyla Ethereum staking altyapısını geliştirmeyi amaçlıyor.
LDO
-5.66%
2025-10-27
MA
Sidus, Ekim ayında bir AMA düzenleyecek.
SIDUS
-4.2%
2025-10-27
Forte Ağı Yükseltmesi
Flow, Ekim ayında başlayacak Forte yükseltmesini duyurdu. Bu yükseltme, geliştirici deneyimini iyileştirmek ve AI ile tüketiciye hazır on-chain uygulamalarını mümkün kılmak için araçlar ve performans iyileştirmeleri sunacak. Güncelleme, Cadence diline yönelik yeni özellikler, yeniden kullanılabilir bileşenler için bir kütüphane, protokol iyileştirmeleri ve rafine tokenomi içermektedir. Flow'daki mevcut ve yeni geliştiriciler, en son yetenekleri kullanarak uygulamalar ve yükseltmeler yayınlayacak. Ek detaylar, ETHGlobal hackathonu öncesinde 14 Ağustos'ta Pragma New York'ta paylaşılacak.
FLOW
-2.81%
2025-10-27
sign up guide logosign up guide logo
sign up guide content imgsign up guide content img
Start Now
Sign up and get a
$100
Voucher!
Create Account

Related Articles

False Chrome Extension Stealing Analysis
Advanced

False Chrome Extension Stealing Analysis

Recently, several Web3 participants have lost funds from their accounts due to downloading a fake Chrome extension that reads browser cookies. The SlowMist team has conducted a detailed analysis of this scam tactic.
6/12/2024, 3:30:24 PM
Analysis of the Sonne Finance Attack
Intermediate

Analysis of the Sonne Finance Attack

The essence of this attack lies in the creation of the market (soToken), where the attacker performed the first collateral minting operation with a small amount of the underlying token, resulting in a very small "totalSupply" value for the soToken.
6/13/2024, 12:35:30 AM
What is a Crypto Card and How Does it Work? (2025)
Beginner

What is a Crypto Card and How Does it Work? (2025)

In 2025, crypto cards have revolutionized digital payments, with Gate Crypto Card leading the market through unprecedented innovation. Now supporting over 3000 cryptocurrencies across multiple blockchains, these cards feature AI-powered exchange rate optimization, biometric security, and customizable spending controls. Gate's improved reward structure offers up to 8% cashback, while integration with major digital wallets enables acceptance at 90 million merchants worldwide. The enhanced user experience includes real-time transaction tracking, spending analytics, and automated tax reporting. With competitive advantages over other platforms, Gate Crypto Card demonstrates how the bridge between traditional finance and digital assets has strengthened, making cryptocurrency more accessible and practical for everyday use than ever before.
5/29/2025, 2:35:39 AM
Introduction to the Aleo Privacy Blockchain
Beginner

Introduction to the Aleo Privacy Blockchain

As blockchain technology rapidly evolves, privacy protection has emerged as a pressing issue. Aleo addresses the challenges of privacy and scalability, enhancing network security and sustainable development. This article delves into Aleo's technical advantages, application areas, tokenomics, and future prospects.
11/7/2024, 9:44:39 AM
Understanding the Babylon Protocol: The Hanging Gardens of Bitcoin
Intermediate

Understanding the Babylon Protocol: The Hanging Gardens of Bitcoin

The core structure of the Babylon Protocol is the Babylon blockchain, which is a POS blockchain built on the Cosmos SDK and compatible with Cosmos IBC. It enables data aggregation and communication between the Bitcoin chain and other Cosmos application chains. Users can lock Bitcoin on the Bitcoin network to provide security for other POS consumption chains while earning staking rewards. Babylon allows Bitcoin to leverage its unique security and decentralization features to provide economic security for other POS chains.
7/26/2024, 10:25:41 AM
What is KernelDAO (KERNEL)?
Intermediate

What is KernelDAO (KERNEL)?

KernelDAO enhances blockchain security and staking efficiency through restaking, liquid staking, and automated yield strategies.
4/17/2025, 3:39:12 PM