SwissBorg’s security incident impacted its SOL Earn Program and took advantage of its relationship with Kiln, which managed Solana staking for the program. Participants in this program would have their funds deposited in an account controlled by Kiln, which operated the staking strategy.

The root cause of the incident was an attack targeting the Kiln API. The attacker performed a standard unstaking transaction that concealed malicious logic several days before the attack was performed. Buried in the transaction were eight authorization instructions designed to transfer control over several of the platform’s staking accounts from SwissBorg to attacker-controlled on-chain accounts. When this unstaking operation — which looked benign — was approved, the attacker was also granted control over an estimated 192,600 SOL.

Later, the attacker exploited this malicious access to drain the tokens from the compromised staking accounts. These funds were split, with the majority sitting in another wallet, while approximately 1k SOL hopped through multiple wallets, splitting multiple times. After three hops, about 100 SOL was sent to Bitget in a test to determine whether the wallet would be flagged and frozen.

After the incident was detected, SwissBorg shut down Solana staking on its platform while it investigated. It also explained that the incident was caused by a third-party hack, rather than a compromise of SwissBorg’s infrastructure, and that users would be compensated from the SwissBorg treasury.

The SwissBorg hack has been called the “Bybit hack v2” due to the significant similarities in the attack. In both cases, the attacker exploited third-party infrastructure and tricked someone into approving a transaction that handed over control of a blockchain wallet. As a result, the attacker was able to drain significant value from the projects.

While the SwissBorg incident doesn’t have quite the price tag of the Bybit hack, it serves as a reminder of the importance of third-party risk management and transaction validation. In this case, entrusting control of its SOL Earn Program to Kiln resulted in $42 million in losses for SwissBorg due to a malicious transaction. This was possible because the transaction in question was assumed to be a normal unstaking transaction, overlooking the malicious functionality that it contains.

Halborn offers advisory services and tools designed to help organizations manage their exposure to these types of attacks. Halborn advisors can help to design robust risk management programs, and Halborn Seraph’s transaction simulation ensures that attackers can’t slip through malicious functionality in seemingly benign transactions. Get in touch to find out more.