Phantom is safe from Solana Web3.js vulnerability; users are advised to upgrade soon

December 4, 2024 at 5:55 am

News

Phantom is safe from Solana Web3.js vulnerability; users are advised to upgrade soon

Phantom has confirmed that it has not been affected by a vulnerability discovered in the Solana library, i.e. Solana/web3.js.

Phantom, a wallet provider running on the Solana (SOL) blockchain, confirmed it is safe after a recent vulnerability was discovered in the Solana/Web3.js library. According to a statement posted on X, the Phantom security team verified that the compromised versions of the library- 1.95.6 and 1.95.7 – will never be utilized in their infrastructure, assuring their users that their platform is secured.

anyone using @solana/web3.js, versions 1.95.6 and 1.95.7 are compromised with a secret stealer leaking private keys. if you or your product are using these versions, upgrade to 1.95.8 (1.95.5 is unaffected)

if you run a service that can blacklist addresses, do your thing with…
— trent.sol (@trentdotsol) December 3, 2024

Do not use @solana/web3.js versions 1.95.6 and 1.95.7., writes Trent.sol on his X profile.

Earlier today, Trent Sol, a Solana developer, warned users about the compromised library. He informed users that these versions could put users at risk of secret stealer attacks, which are capable of leaking private keys used to access and secure wallets. Products and developers using the compromised versions should upgrade to version 1.95.8., urged Trent. However, previous versions, such as 1.95.5, remain unaffected by the issues.

Phantom is not impacted by this vulnerability.

Our Security Team confirms that we have never used the exploited versions of @solana/web3.js https://t.co/9wHZ4cnwa1
— Phantom (@phantom) December 3, 2024

Phantom acknowledges that it is safe from solana/web3.js vulnerabilities.

Solana ecosystem addresses Web3.js vulnerability

The Solana ecosystem has been quick to respond to addressing the vulnerability. Important projects such as Drift, Phantom, and Solflare have informed their communities that they are not affected as they either do not put to use the compromised version or have other security measures that keep them safe. The ecosystem’s developers and projects are also urged to check their dependencies and update their libraries to ensure funds and data remain secure.

Rise in vulnerabilities

Trent Sol’s disclosure of vulnerability reflects a larger challenge of security that blockchain ecosystems often have to tackle. Forensic analysis shows that the broken versions of the library held hidden commands meant to capture and transmit private keys to a wallet named FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx. Cloud security researcher Christophe Tafani-Dereeper from Datadog underscored the sophistication of the backdoor at Bluesky.

Exclusive: The backdoor inserted in v1.95.7 adds an "addToQueue" function which exfiltrates the private key through seemingly-legitimate CloudFlare headers.Calls to this function are then inserted in various places that (legitimately) access the private key.
— Christophe Tafani-Dereeper (@christophetd.fr) 2024-12-03T23:47:18.004Z

Developer Tafani-Dereeper does forensic analysis of the solana/web3.js vulnerabilities.

Such risks have become increasingly common, as evidenced by a malicious package incident earlier this year, reported by The Hacker News, involving the Python Package Index, commonly known as PyPl. The package, “solana-py“, masqueraded as the legitimate Solana Python API to steal Solana wallet keys and exfiltrate them to an attacker-controlled server. It also exploited naming similarities to trick developers, leading to 1,122 downloads before its removal.