Read the Unveiling Transaction Simulation Challenges blog post to understand the vulnerability and see a step-by-step attack reproduction.
- Install Node.js version 18
- If you are using nvm (recommended) running
nvm use
will automatically choose the right node version for you.
- If you are using nvm (recommended) running
- Install Yarn v1
- Run
yarn setup
to install dependencies and run any required post-install scripts- Warning: Do not use the
yarn
/yarn install
command directly. Useyarn setup
instead. The normal install command will skip required post-install scripts, leaving your development environment in an invalid state.
- Warning: Do not use the
yarn start
to run
- Using Solana Playground is the simplest way to deploy
- If connecting it to mainnet-beta fails (it happens), an easy alternative is creating an Alchemy account and launching a Solana mainnet node, then add
custom
endpoint to the settings - The IDE will create you an authority account for deploying the contract
- It needs ~1.4SOL to do a first deploy (you get 0.4SOL back), so keep that in mind and make the transfer
- Paste
take-over.ts
- Build & Deploy
- Take your contract's address (program ID) and update the exploit code accordingly
- Set up accounts for attacker and victim
- Add public key for victim to
assign-test.js
- Add private key for attacker to
assign-test.js
- Open browser with Wallet extension and navigate to
http://localhost:9011/
- Select the victim's wallet from accounts
- [On DApp] click connect
- [On DApp] click STAGE #1
- Now funds are transfered to victim. And victim's account is now owned by attacker's ProgramID
A3mayAzsbd4H1YFnLBbafAMxbygXYx56Dq2jKupWczM9
- You can take TXID and check on explorer
- You can put the victim's account on explorer, and see that it's owned by the attacker's contract, not System Program
- Select the attacker's wallet from accounts
- [On DApp] click STAGE #2
- Call to attacker's contract drains the victim's wallet into the attacker's account
- You can take TXID and check on explorer
This repository contains a proof-of-concept (PoC) that demonstrates and reproduces a Solana transaction simulation bypass bug that previously affected certain Solana wallets. This content is provided for educational and research purposes only. The authors and contributors of this repository are not responsible for any misuse of the provided information or code.
This PoC is intended for:
- Security researchers
- Solana wallet developers
- Individuals interested in understanding blockchain vulnerabilities
- This vulnerability has been responsibly reported to all affected vendors.
- All affected vendors have patched this vulnerability.
- The code in this repository is not intended for malicious use.
Without Coinspect's responsible disclosure and work with vendors to remediate this vulnerability, the code in this repository could have been used to:
- Take over a victim's Solana account
- Transfer funds without proper authorization
For any questions, concerns, or issues in the codebase, please open an issue in this repository.