Some users may be aware of a recent attack on the Solana network involving the Raydium RAY token, which has led to the loss of funds from some exchanges. At Bitrue we stopped the attack early and avoided loss - here's how we did it.
Before we get into the specifics of the event, we should give a quick introduction regarding how coins are organized on the Solana chain. In general, a Solana wallet is split into two categories. There is a main wallet which holds all of the actual Solana SOL coins, and inside this main wallet there can be multiple sub-wallets dedicated to different SPL tokens. It is possible to have an orphaned sub-wallet that is not attached to a main wallet, but this is rare.
The flaw on the Solana chain that was being exploited on August 26 is as follows:
1. The hacker creates an address for an orphaned SPL wallet, which we will label as "A".
2. The hacker initializes the address of A, and retains control of the private key.
3. The hacker transfers 100 RAY to the address A.
4. The hacker then transfers the 100 RAY to an alternative address.
5. The hacker then attempts to transfer ownership of the orphaned wallet A into an exchange's main SOL wallet. This is detected as a valid deposit to the exchange even though the private keys and overall control of the SPL wallet is maintained by the hacker.
6. The hacker then converts the phantom RAY tokens that the exchange believes were deposited into an alternative currency, e.g. BTC, and withdraws them from the exchange. They now have both BTC as well as the RAY tokens.
A large number of exchanges that support Solana, which includes Bitrue, were targeted.
Here is an example of the transactions that a hacker performed on Bitrue. In total 7993 RAY was transferred in 32 transactions over 20 minutes.
The hacker managed to complete several withdrawals from Bitrue, the transactions are noted below. In total about $11,683 USDT worth of tokens were taken from the exchange, at which point the hacker's actions were identified and blocked. Bitrue will be covering the loss from its own expenses.
23eQsNe4mkeceSrheZiCEQGChnumxwZwfsemBBzpr5CgkzcEGu1rYPoVNCzjpGSYyEbGpGPjHYdbRghkZdzKhA4Q 28.02 SOL
2d19wd3JN4s2NrPvAqdmovzHH7QzomqFDaVjYq4b8KCM4KQGvQwb4cLAqFzHHwQX6uXWtABmQAAwYTYzjpZGquCG 559.8 RAY
0xbf911e98e3bdd99bf76f29a8e951bd3c64536d7f3f3c0c02ebf9f2efe79fa27e 0.07 ETH
8b6fe654fe979b77ea22f4f04ece1497d985d0ab529baf1618d9bfdc56bdfabc 0.0995 BTC
While Bitrue was affected by this 0-day exploit, the losses were minimal. Because of our robust internal risk-monitoring system we detected the attack and immediately ceased activities for all SPL tokens.
We want to extend our thanks to the Solana team for their quick communication and assistance with this matter. Other exchanges that support Solana were also attacked. We would like to remind our colleagues at other exchanges to investigate this exploit thoroughly to ensure that they did not lose any funds, and to remain vigilant against future attacks. They are welcome to contact us should they require assistance - firstname.lastname@example.org.