Dear Bitruers,
Some users may be aware of a recent attack on the Solana network involving the Raydium RAY token, which has led to the loss of funds from some exchanges. At Bitrue we stopped the attack early and avoided loss - here's how we did it.
Before we get into the specifics of the event, we should give a quick introduction regarding how coins are organized on the Solana chain. In general, a Solana wallet is split into two categories. There is a main wallet which holds all of the actual Solana SOL coins, and inside this main wallet there can be multiple sub-wallets dedicated to different SPL tokens. It is possible to have an orphaned sub-wallet that is not attached to a main wallet, but this is rare.
The flaw on the Solana chain that was being exploited on August 26 is as follows:
1. The hacker creates an address for an orphaned SPL wallet, which we will label as "A".
2. The hacker initializes the address of A, and retains control of the private key.
3. The hacker transfers 100 RAY to the address A.
4. The hacker then transfers the 100 RAY to an alternative address.
5. The hacker then attempts to transfer ownership of the orphaned wallet A into an exchange's main SOL wallet. This is detected as a valid deposit to the exchange even though the private keys and overall control of the SPL wallet is maintained by the hacker.
6. The hacker then converts the phantom RAY tokens that the exchange believes were deposited into an alternative currency, e.g. BTC, and withdraws them from the exchange. They now have both BTC as well as the RAY tokens.
A large number of exchanges that support Solana, which includes Bitrue, were targeted.
Here is an example of the transactions that a hacker performed on Bitrue. In total 7993 RAY was transferred in 32 transactions over 20 minutes.
2LE5SgYhefZpy29xj1V1aVyFeUrTu9mDzG4nfQffyLynL9nHDWgaepKL6ybPs3CGYM4Z6YpDESL8d7jj1wRGwpVp
656y527r2zXPVQqPNLmTU7r17gzpeeuSf3YrQ6p73vF996bQRqMGpgj64xzzU2ELAgpn1jSpUrxzwgPmfLD8SLWs
4PrxymvC7YCX7z9SuLb9Tg7RjVA1zt9XKEVhX6wtGE7KrKAkxdSxrzCBhrX61FN3KyCGT8g7oweg9rpQyVz3diuM
4CjjQeSdcfhEp2gwtmgLrVDvQVpNWBUq1CVtJ1LtLWFPSJnZAikWhRYxDCeQ5ktHucDpZrDwrpbjHG1cTXhi63kb
4FK6qsDaF6qZYebAVHNWD47yvYmuSXbX72bJWwLmnzWBEBCt87Ue2cB3mTuivKsBN4LnaXAYSZ5EjehypHbH7f5L
2Jh6hGCMsdN7RxJLkRxJX3T6CcWwnsWfWtPKZiFY63xrPmDJeyQgWHebjrWG8Q3Kidhwtr6XKbWSJtRMUCN2HG5L
47sVcTfEeZoWExHp8779pzRDoR1S8NXktjUHiwkSM48HFQk7V7WM6xxmWJQJ2bS4dPvzYoNpH6yhLMHcvSgDSiGG
2wCCGEft467KX2vZ6N1fmL2G2rjjmdfVyap6LamspMEQn1162sKoX21TZ4fYNf7e2LTq8o8bk9SnBCPmHFi1rGAW
fuLwDAFFsT96suRkcLejF3vQj2otR6FKtMH45pTAUepA59znhzpcUcW6Y9BYVFTnXiitpmcB2D9KArcLx9x7LD9
3TfBmbrpmLcBnXDADDJiSAD9aPHi1Uhk1qDBswrxh4UJv8ngqmht2ThtjhdnKhsE93i7sXMRXj2zpp9jgnx7dbAV
vbydBC28kCMKwpnHL4nK1DCHm8bn9PoJhDdqiGEuXvBNmnXPhSbsY4FymEUxnE2kk72qqEmvLieDPBBsN3RF3RY
Y8sfZN1hzY8YQbaVaUuyN552mQBy7UhdtCKP3STSzCCayMgiG3VHyujCdzHrKmGyFbSkhX5gbmRHzqmrguQxFUi
The hacker managed to complete several withdrawals from Bitrue, the transactions are noted below. In total about $11,683 USDT worth of tokens were taken from the exchange, at which point the hacker's actions were identified and blocked. Bitrue will be covering the loss from its own expenses.
Completed withdrawals:
26nRmRodbYEBkMmnYiNZFVGHwicusDFtqzg9NFDgDkLFqHG8rYP3bmccvPmrhKoCZi72FmAJ2nAovQFeGUubkuqz 0.8RAY
2vhj7ey7ER9Ac32R8qRb1cBMwD4Y1VWeJ5mmuz3Xi51bp4j4Jc1YHPtx6wHArBYKhGtVPGacWZw7oXS4sNAbCCDB 71.8RAY
23eQsNe4mkeceSrheZiCEQGChnumxwZwfsemBBzpr5CgkzcEGu1rYPoVNCzjpGSYyEbGpGPjHYdbRghkZdzKhA4Q 28.02 SOL
2d19wd3JN4s2NrPvAqdmovzHH7QzomqFDaVjYq4b8KCM4KQGvQwb4cLAqFzHHwQX6uXWtABmQAAwYTYzjpZGquCG 559.8 RAY
0xbf911e98e3bdd99bf76f29a8e951bd3c64536d7f3f3c0c02ebf9f2efe79fa27e 0.07 ETH
8b6fe654fe979b77ea22f4f04ece1497d985d0ab529baf1618d9bfdc56bdfabc 0.0995 BTC
While Bitrue was affected by this 0-day exploit, the losses were minimal. Because of our robust internal risk-monitoring system we detected the attack and immediately ceased activities for all SPL tokens.
We want to extend our thanks to the Solana team for their quick communication and assistance with this matter. Other exchanges that support Solana were also attacked. We would like to remind our colleagues at other exchanges to investigate this exploit thoroughly to ensure that they did not lose any funds, and to remain vigilant against future attacks. They are welcome to contact us should they require assistance - support@bitrue.com.