Scammers Exploit Solana’s Permanent Delegate Function, Burn Users’ Tokens
Scammers Exploit Solana's Permanent Delegate Function to Burn Users' Tokens
Reports have surfaced detailing how a recently exploited feature within Solana is being used to defraud unsuspecting users. The key mechanism in this scam is the Permanent Delegate function, a tool initially designed for legitimate token management but now being wielded with malicious intent.
The scam, which has targeted several Solana users, involves the Permanent Delegate function, a Solana token extension intended to provide broader control over token accounts. However, it has become a weapon in the hands of bad actors looking to wipe out users’ holdings seconds after a transaction is completed. This incident underscores the risks inherent in blockchain features that, while powerful, can be turned against users.
The Mechanics of the Scam
The Permanent Delegate function, according to Solana’s official documentation, is a powerful tool designed to manage tokens with features such as burning or transferring tokens without limitation. While these capabilities are useful in scenarios like reclaiming mistakenly sent tokens or complying with sanctions, they also represent a significant risk if misused. The function allows unrestricted delegate privileges over all token accounts for a specific mint, meaning that if a scammer gains control, they can delete or transfer tokens at will.
The scam came to light when a Solana user attempted to swap tokens through a popular Solana-based platform, Jupiter. Initially, everything appeared normal—the transaction was confirmed, and the tokens were supposedly received. However, the user quickly realized that their wallet balance was empty. Upon investigation, it was discovered that the tokens had been burned within seconds of the transaction, thanks to the Permanent Delegate function attached to the token they had purchased.
Community Reactions
Slorg, a member of Jupiter’s Core Working Group, was one of the first to report this scam. In a post on X (formerly Twitter), Slorg described the experience of a community member who had fallen victim to the scam. “Imagine you swap for a token and the wallet history confirms that you received it. But then you look inside and nothing shows up,” Slorg recounted. The incident highlights the potential for the Permanent Delegate function to be used as a double-edged sword.
PeckShield, a blockchain security service provider, explained the risks associated with the Permanent Delegate function. “The Permanent Delegate is an extension feature in Solana’s Token 2022 standard that can be misused to burn or transfer tokens without the user’s knowledge,” a PeckShield representative told Cointelegraph. This sentiment was echoed by Beosin, another blockchain security firm, which suggested that scammers might be using this function to manipulate the circulating supply of tokens, thereby affecting tokenomics.
Slorg offered insight into the motives behind these scams, suggesting that some scammers may simply seek to create chaos. “Sometimes scammers just want to see destruction and chaos. It’s like a mix between a prank and a ‘f*ck you,’” he said. Other possible motivations include manipulating the market by reducing the float, preventing tokens from being sold to keep prices from dropping or simply making small, repeated profits.
The Broader Implications
The exploitation of the Permanent Delegate function has raised significant concerns within the Solana community. While the feature was designed with positive intentions, such as facilitating automatic payments and refunds, its abuse has highlighted the need for greater security measures. The ability for a single extension to cause such widespread damage underscores the delicate balance between functionality and security in blockchain technology.
As the cryptocurrency space continues to evolve, new features and extensions like the Permanent Delegate function will likely emerge, bringing with them both opportunities and risks. This incident serves as a stark reminder that users must exercise due diligence when interacting with new tokens, especially those involving complex extensions or features.
To combat this growing threat, platforms like Jupiter and RugCheck have developed indicators to alert users when the Permanent Delegate function is enabled on a token. However, as Slorg advises, “Practicing due diligence with any token is crucial. Always have a routine that you don’t deviate from, and take your time to read all the text when making a swap. If not, it could end up costing you someday, especially as new token capabilities are developed.”
As more cases of Permanent Delegate function abuse emerge, the Solana community and blockchain developers at large are being urged to review and possibly revise such features to prevent further exploitation. The case also calls for enhanced user education, ensuring that individuals understand the risks associated with certain token features before engaging in transactions.
While the Permanent Delegate function was introduced with good intentions, its misuse by scammers has highlighted the importance of vigilance in the rapidly evolving world of cryptocurrency. For users, the key takeaway is clear: always be aware of the tools at your disposal and the potential for those tools to be turned against you.
Get more from The Bit Gazette
