Slow Fog: Beware of Solana Wallet Owner Permission Tampering Attacks

The Slow Mist security team has released a security alert case. A user recently fell victim to a phishing attack, resulting in the transfer of their account Owner permissions. They attempted to revoke the authorization but were unable to complete it. The user has already lost assets worth over $3 million, and an additional $2 million worth of assets are stored in a DeFi protocol but cannot be transferred. Currently, the portion of assets worth approximately $2 million has been successfully rescued with the assistance of the relevant DeFi.

This attack is not a traditional "authorization theft," but rather a replacement of core permissions (Owner permissions) by the attacker, which prevents the victim from transferring, revoking authorization, or operating DeFi assets. The funds "appear normal" but are no longer under control. The attacker successfully lured the user into clicking through two counterintuitive scenarios: 1. When signing a transaction, the wallet simulates the execution result of the transaction. If there is a change in funds, it will be displayed on the interface, while the attacker carefully crafted transaction shows no change in funds; 2. Traditional Ethereum EOA accounts are controlled by private keys, and users may not be aware that Solana has the feature to modify account ownership. Slow Mist reminds users to be cautious when authorizing signatures and to confirm whether there are hidden operations that modify high-risk permissions such as Owner.