Solana has emerged as a high-performance and scalable blockchain protocol. Since last year, its ecosystem has been in a state of rapid expansion. The rise of liquid staking projects like Lido and Jito, along with various Meme coin trends, has driven significant growth in Solana’s Total Value Locked (TVL) and trading volume. At the same time, Solana’s PayFi and DePIN initiatives have highlighted the potential for real-world blockchain integration.
With more users joining the Solana network, malicious actors are increasingly exploiting its unique features to carry out fraudulent activities through both established and new attack methods. This article breaks down the most relevant security threats targeting Solana users and provides actionable advice to help you stay protected.
Understanding Solana’s Account and Transaction Model
To better grasp how these attacks work, it helps to understand some basics of Solana’s architecture—particularly its account and transaction model.
Accounts on Solana
In Solana, all information is stored within account objects. These are divided into three main types:
Data Accounts, which store data. These can be further categorized into:
- System-owned accounts
- Program Derived Addresses (PDAs)
- Program Accounts, which store executable programs—essentially smart contracts developed and deployed by users or by Solana itself. It’s important to note that smart contracts on Solana can be updated or even destroyed.
- Native Accounts, which refer to built-in programs on the Solana blockchain. These are smart contracts generated during node deployment and cannot be updated or destroyed by regular users, though they can be invoked by other contracts or remote procedure calls (RPC).
Note: In Solana, a “Program” is functionally similar to a “Smart Contract” on other blockchains. The terms are used interchangeably below.
The account a regular user creates with a wallet is a system-owned data account. You can think of it as an account generated through a system program that stores data such as address information and digital assets.
Transactions on Solana
A key concept here is the instruction. An instruction defines an operation within a Solana transaction, such as interacting with a program or transferring tokens. Crucially, a single Solana transaction can contain multiple instructions. This means users can bundle several actions—like multiple transfers—into one transaction, which are then executed in sequence.
You can inspect the instructions of any transaction using a Solana block explorer like Solscan. By looking at the “Instruction Details,” you can see which programs were called and which addresses were involved in transfers.
Common Attack Methods in the Solana Ecosystem
As Solana gains popularity, phishing attacks and Rug Pulls have become increasingly common. According to a report from Scam Sniffer, approximately 10,000 users lost over $46 million to phishing attacks in September alone. This makes vigilance more important than ever. Below are some of the most prevalent attacks targeting Solana users.
1. Airdrop Scams
In this classic scam, attackers promote fake airdrop campaigns through social media or send NFTs directly to user wallets. These contain links to phishing websites that trick users into signing malicious transactions. Because Solana allows multiple transfer instructions to be bundled into a single transaction, one signature can authorize the transfer of all assets in a user’s wallet to the scammer.
Always verify the authenticity of any airdrop and carefully review every transaction before signing.
2. Fake Transaction Simulations
Many wallets, like Phantom, offer transaction simulation features that show users the outcome of a transaction before they sign. However, these simulations are not guarantees—they are previews. Attackers have found ways to manipulate these simulations by bundling transactions or using malicious browser extensions to show false results.
For example, in August, a malicious browser extension named “Bull Checker” was used to steal user assets. The extension had broad permissions to read and change data on all websites visited. During transaction simulation, the malicious transfer wouldn’t show because the attacker’s wallet had a zero balance. But during the actual transaction, the extension altered the signing process, sending the unsigned transaction to the attacker’s server and attaching a call to a malicious program.
👉 Learn how to verify transaction safety
If a browser extension requests permissions to “read and change all your data,” consider whether it truly needs that level of access. Always remember that simulation results can be manipulated.
3. Authority Transfer Attacks
This method is similar to phishing attacks on Ethereum. Users are tricked into signing a transaction that changes the ownership of their token account. Even though wallets often show warnings for such actions, users may still be deceived if they are not paying attention.
In Solana, each token has its own token account with an “owner” field. By default, the owner is the address holding the token, but this can be changed by calling functions like createSetAuthorityInstruction(). If a user is tricked into calling this function, ownership of their tokens can be transferred to an attacker.
4. Address Poisoning
Also known as address spoofing, this attack involves creating fake addresses that look very similar to ones the user frequently interacts with. The goal is to trick the user into sending funds to the fraudulent address. This method has been common on Ethereum and Tron and is now becoming more frequent on Solana.
Double-check every address before confirming a transaction, especially when dealing with large amounts.
5. Token Extensions Exploits
In September, some Solana users reported that their tokens were burned after making transfers or swaps. Research showed that this was due to a token extension feature called Permanent Delegate.
Permanent Delegate is an official Solana token extension that allows a designated address to transfer or burn tokens at any time. It was designed for specific use cases like token recovery or regulatory compliance for stablecoins. However, malicious actors have started creating tokens with this feature enabled, attracting buyers only to later drain or destroy the tokens.
Other extensions, such as Transfer Hooks and Transfer Fees, can also be misused to cause financial loss. Always research token properties before investing, especially newer or unknown tokens.
Frequently Asked Questions
What is the most common type of attack on Solana?
Phishing attacks, particularly through fake airdrops and malicious NFTs, are among the most common threats. Users are tricked into signing transactions that drain their wallets.
How can I check if a transaction is safe?
Use your wallet’s simulation feature, but don’t rely on it completely. Always verify the receiving address, the program being called, and the full list of instructions in the transaction. 👉 Explore more security strategies
What should I do if I installed a malicious browser extension?
Immediately remove the extension from your browser, revoke its permissions, and scan your system for malware. Consider moving your assets to a new wallet.
Are hardware wallets safe on Solana?
Yes, using a hardware wallet significantly reduces risk because private keys are stored offline and transactions must be physically confirmed.
What is a Program Derived Address (PDA)?
A PDA is a type of account whose address is derived from a program ID and a set of seeds. Unlike regular accounts, PDAs do not have private keys and are controlled entirely by the program that created them.
Can Solana smart contracts be upgraded?
Yes, many programs on Solana are upgradeable unless they have been explicitly immutable. Always verify the reputation of the program developer before interacting.
Conclusion
Staying safe in the Solana ecosystem requires a mix of using secure tools, maintaining awareness of common scams, and understanding new attack vectors. By choosing reliable wallets and plugins, carefully verifying every transaction, and keeping up with the latest security advice, you can greatly reduce your risk of financial loss. Always remember: when in doubt, slow down and double-check.