Data from Etherscan shows that some crypto scammers are targeting users with a new trick that allows them to confirm transactions from the victim’s wallet, but without the victim’s private key. Attacks are only possible for 0 value transactions. However, it may cause some users to accidentally send tokens to attackers due to cutting and pasting from their hijacked transaction history.
Blockchain security company SlowMist discovered a new technique in December and revealed it in a blog post. Since then, SafePal and Etherscan have used mitigation techniques to limit their impact on users, but some users may not be aware of their existence.
Recently we have received reports from the public of a new type of scam: Zero Transfer Scam. Be careful if you see suspicious 0 transfers in your wallet notes:
1/10
– Veronica (@V_SafePal) December 14, 2022
According to a post from SlowMist, the scam works by sending zero-token transactions from the victim’s wallet to addresses that appear to be the same as those previously sent by the victim.
For example, if a victim sends 100 coins to an exchange deposit address, an attacker can send zero coins from the victim’s wallet to an address that looks similar but is, in fact, under the attacker’s control. Victims can see this transaction in their transaction history and conclude that the displayed address is the correct deposit address. As a result, they can send coins directly to attackers.
Sending transactions without the owner’s permission
Under normal circumstances, an attacker needs the victim’s private key to send transactions from the victim’s wallet. But Etherscan’s “contract tab” feature shows that there are loopholes in some token contracts that could allow attackers to send transactions from any wallet.
For example, the code for USD Coin (USDC) on Etherscan shows that the “TransferFrom” function allows anyone to transfer coins from another person’s wallet as long as the amount of money sent is less than or equal to the allowed amount. who has an address.
This usually means that an attacker cannot make transactions from someone else’s address unless the owner approves the allowance for them.
However, there is a loophole in this limitation. The allowed number is defined as a number (called “uint256 type”), meaning it is interpreted as zero unless it has been specifically set to some other number. This can be seen in the “allowance” function.
As a result, as long as the attacker’s transaction value is less than or equal to zero, they can send transactions from absolutely any wallet they want, without the need for a private key or prior approval from the owner.
USDC is not the only token that allows this to happen. The same code can be found in many token contracts. It can even be found in the example contract linked from the Ethereum Foundation’s official website.
Example of zero value transfer fraud
Etherscan shows that some wallet addresses are sending thousands of zero transactions per day from various victim wallets without consent.
For example, an account labeled Fake_Phishing7974 used an unverified smart contract to perform more than 80 transaction bundles on January 12, with each bundle containing 50 worthless transactions for a total of 4,000 illegal transactions in one day.
Misleading address
A closer look at each transaction reveals the motive of this spam: The attacker sends a zero-value transaction to an address that looks very similar to the victim’s previously sent funds.
For example, Etherscan shows that one of the user addresses targeted by the attacker is:
0x20d7f90d9c40901488a935870e1e80127de11d74.
On January 29th, this account authorized 5,000 Tether (USDT) to be sent to this recipient address:
0xa541efe60f274f813a834afd31e896348810bb09.
Immediately after that, Fake_Phishing7974 sends a zero-value transaction from the victim’s wallet to this address:
0xA545c8659B0CD5B426A027509E55220FDa10bB09.
The first five characters and the last six characters of these two receiving addresses are exactly the same, but the characters in the middle are completely different. The attacker may intend for the user to send USDT to this second (fake) address instead of the original one, giving the attacker coins.
In certain cases, it seems that the scam does not work, because Etherscan does not show transactions from this address to one of the fake addresses created by the scammer. But due to the volume of zero-value transactions carried out by this account, the plan may work in other cases.
Wallets and blockchain explorers may differ in how or whether they report confusing transactions.
Wallet
Some wallets may not show spam transactions. For example, MetaMask does not show the transaction history if it is reinstalled, even if the account itself has hundreds of transactions in the block. This suggests that it stores its own transaction history instead of pulling data from the blockchain. This should prevent spam transactions from appearing in your wallet’s transaction history.
On the other hand, if the wallet pulls data directly from the blockchain, spam transactions can appear in the wallet view. In a December 13 announcement on Twitter, SafePal CEO Veronica Wong warned SafePal users whose wallets can display these transactions. To mitigate this risk, he said SafePal changed the way addresses are displayed in newer versions of the wallet to make it easier for users to check addresses.
(6/10) In this regard, we have acted:
1) In the latest V3.7.3 update, we adjusted the length of the wallet address displayed in the transaction history. The first and last 10 digits of the wallet address will be displayed by default, for address verification– Veronica (@V_SafePal) December 14, 2022
In December, one user also reported that the Trezor wallet was showing misleading transactions.
Cointelegraph reached out via email to Trezor developer SatoshiLabs for comment. In response, the representative stated that the wallet pulls transaction history directly from the blockchain “every time a user plugs in a Trezor wallet.”
However, the team takes steps to protect users from scams. In an upcoming Trezor Suite update, the software will “flag suspicious zero-value transactions so that users are alerted that the transaction may be fraudulent.” The company also stated that the wallet always displays the full address of each transaction and that they “strongly recommend that users always check the full address, not just the first and last characters.”
Explorer block
Aside from wallets, block explorers are another piece of software that you can use to view your transaction history. Some browsers may display these transactions in a way that inadvertently misleads users, as some wallets do.
To mitigate this threat, Etherscan has begun to destroy zero-value token transactions that are not initiated by users. It also marks the transaction with a sign that says, “This is a zero-value token transfer initiated from another address,” as evidenced by the image below.
Other block explorers may have taken steps similar to Etherscan to warn users of these transactions, but some have yet to implement them.
Tips to avoid the ‘TransferFrom zero’ trick
Cointelegraph reached out to SlowMist for advice on how to avoid falling prey to the “TransferFrom zero” trick.
A representative of the company gave a list of tips for Cointelegraph to avoid becoming a victim of an attack:
- “Be careful and verify your address before making a transaction.”
- “Use the whitelist feature in your wallet to prevent sending funds to the wrong address.”
- “Stay alert and aware. If you come across a suspicious transfer, take the time to investigate the matter calmly to avoid becoming a victim of scammers.”
- “Maintain a healthy level of skepticism, always be cautious and alert.”
Judging from this advice, the most important thing for crypto users to remember is to always check the address before sending crypto to. Even if the transaction record shows that you have sent crypto to the address before, this appearance can be deceiving.