On December 3rd, the SlowMist Security Team published a security advisory detailing a phishing attack targeting a user. The attacker transferred the user’s account owner permissions, leaving the victim unable to revoke authorizations or access their assets — even though funds appeared normal, they were no longer under the user’s control. – Over $3 million in assets were stolen. – An additional $2 million locked in a DeFi protocol (initially untransferable) was later rescued with support from the respective DeFi platform. This was not a traditional “authorization theft”; instead, the attacker seized core owner permissions, blocking the victim from sending transactions, revoking access, or managing DeFi assets. The attacker exploited two counterintuitive tactics to trick the user into signing: 1. Wallets typically simulate transaction execution during signing and display fund changes — but the attacker’s crafted transaction had no fund shifts, hiding malicious activity. 2. Traditional Ethereum EOA accounts are private key-controlled, so many users are unaware Solana allows modifying account ownership. SlowMist advises users to exercise extreme caution when signing transactions or authorizations: always verify there are no hidden actions altering high-risk permissions like owner access.
