News

Exposing the Scam: How Scammers Abuse Legitimate Blockchain Protocols to Steal Your Cryptocurrency Wallet

Published

4 months ago

on

Search for Dikla Barda, Roman Ziakin and Oded Vanunu

Check Point’s Blockchain Threat Intel has identified and reported that scammers have become increasingly sophisticated in recent times, leveraging legitimate blockchain protocols to carry out their scams.

The Uniswap protocol, launched in 2018, is the largest and most popular decentralized exchange for exchanging cryptocurrency tokens on Ethereum and other popular blockchains, blocking over $1.8 trillion in trading volume and 350 million swaps. As the fifth largest application on Ethereum, Uniswap holds over $4 billion in total value locked (TVL) and consistently reaches billions in weekly trading volume, maintaining its position as the largest decentralized exchange by volume on Ethereum mainnet, Polygon, Arbitrum, and Optimism. Safe.global Meanwhile, it is similar to a smart contract wallet and is said to have a total of 69 million transactions, with 9.5 million managed accounts totaling $100 billion in total assets stored.

By exploiting the trust and functionality of established platforms like Uniswap V3 and Safe.global, these attackers mask their malicious activities. For example, the attackers cleverly embed their attacks in the multicall aggregation function on the Uniswap V3 contract, which allows them to execute multiple transactions in a single call, thus obfuscating their true intentions.

Similarly, they use the GnosisSafeProxy contract to create seemingly legitimate contracts, which they then use to perpetrate fraudulent schemes. This clever manipulation of trusted protocols not only increases the credibility of their scams, but also makes detection and prevention significantly more difficult.

The technical side of the aggregation function

When the victim receives such a transaction, he will see the address: 0x5BA1e12693Dc8F9c48aAD8770482f4739bEeD696

It wants to perform the aggregation, as you can see in the following screenshot:

If the victim checks who this address is, he will see that it is a legitimate Uniswap V3 Multicall2 contract.

Let’s take a look at the aggregation function in the Uniswap multicall contract :

The function takes a single parameter: ‘calls’which is an array of Call structs. Each Call struct includes:

target: The address of the contract to call.

callData: The data (function signature and parameters) to be sent to the destination contract.

The aggregate function iterates over each call provided in the calls array. For each individual call, the function initiates a request to the specified target contract using the specified callData. This mechanism allows the aggregate function to perform multiple operations on different contracts in a single transaction, improving transactional efficiency and cohesion.

So where is the security problem?

The open nature of the contract, which allows any user to set data targets and parameters, poses a substantial risk. In an environment where asset theft is rampant, the inherent trust placed in trusted addresses like Uniswap can be exploited. For example, if a user checks the multicall contract address on platforms like Etherscan and sees that it is labeled as associated with Uniswap, they may mistakenly assume that it is safe. This perceived security can be dangerous since Uniswap, as a decentralized exchange (DEX), regularly interacts with user wallets for transactions.

Attackers exploit the Uniswap Multicall contract to orchestrate fund transfers from victims’ wallets to their own. They do this by using Uniswap as the spender address. Unsuspecting users, seeing Uniswap listed as a spender and trusting its legitimacy, may then approve transactions that they believe are standard operations. This approval unknowingly grants permission for their assets to be transferred directly to the attackers’ wallets.

Here is a real-world example that illustrates how such exploitation can occur: 0xe02a450b96a2679557dc6ea214808eb0692e8b96c7a8da47f67e4e26d0086aab In this text, we can see that the Uniswap v3 multicall contract is used:

an aggregation function is called:

The attacker exploits the aggregation function to execute the transferFrom function, which allows the attacker to withdraw funds on behalf of a specified wallet. To successfully use this function, the initiator of the transferFrom transaction must have prior approval to withdraw money from the targeted wallet.

Looking at the transaction logs, we see an approval event. This approval was granted by the victim to the Uniswap Multicall contract just moments before, when the victim unknowingly signed a request, manipulated by the attacker, to increase the quota.

This action effectively increased the limit of the amount the attacker could withdraw from the victim’s wallet.

After the victim’s approval, the Uniswap Multicall contract was authorized to manage the funds on their behalf. Using this approval, the attacker initiated a transferFrom operation via the Multicall contract, which already had permission to access the victim’s funds. Inside the aggregation function, the attacker specified a target, the specific token they wanted to steal, and used the transferFrom function to redirect the victim’s money to a wallet under their control.

Safe (formerly known as Gnosis Safe) stands out as a top choice for multi-signature wallets. This smart contract platform allows users to create and manage wallets that require multiple approvals to execute transactions.

To get started with Gnosis Safe, users must first set up a Safe account via Safe Interface. This process assigns a unique Safe address to each account, which is linked to a Safe Proxy. The proxy is essential as it holds the funds and conducts transactions on behalf of the account.

However, this infrastructure is not immune to abuse. Attackers have been known to use contracts and the Gnosis Safe framework, convincing unsuspecting victims to sign fraudulent transactions.

An example of an attack seen earlier this year:

https://etherscan.io/tx/0x3c696c2f9af5f2717d74522c19a300cf65d2077aaf9cef435dc186 26d162a524

Let’s explore how it works. First, the attacker uses the Gnosis Safe framework to establish a legitimate proxy contract. Next, the attacker tricks the victim into committing to this proxy contract, convincing them to perform an “increase allowance” transaction. This action authorizes the Gnosis Safe Proxy contract to manage tokens from the victim

wallet.

Shortly thereafter, the attacker uses the execTransaction function on the Gnosis Safe Proxy contract to conduct more transactions.

Let’s analyze in detail how this function works:

When the execTransaction function is fired on a proxy contract, it forwards this call to the master copy, also known as a singleton. This is achieved using the delegatecall operation in Solidity, enabling the master copy code to be executed within the proxy storage.

context.

The execTransaction function, as defined in the singleton contract, ensures that transactions are executed only after receiving the required approvals from the designated number of owners, verified by their signatures. It also efficiently manages gas payments, ensuring that all transaction costs are adequately covered and refunds are issued where necessary. Furthermore, this function is enhanced by integration with guard contracts, which perform additional security checks. This setup creates a secure and efficient framework for managing multi-signatures

transactions.

If we look closely at the code, we see that it involves a call to the Gnosis Safe Executor contract. This contract is specifically designed to facilitate the execution of the transaction on behalf of the Safe. Inside this contract, the execution function is triggered, which in turn calls the Safe MultiSend contract.

The Safe MultiSend contract is a crucial component of the Gnosis Safe framework. It allows multiple transactions to be grouped into a single operation, much like the aggregation function in Uniswap. This capability is highly useful for improving efficiency and minimizing gas costs when multiple actions need to be performed simultaneously.

Analysis of data directed to the MultiSend function reveals that it processes three transferFrom requests involving the victim’s “Umbrella” token, allowing the attacker to drain tokens from the victim’s wallet.

Protect your assets

In light of these sophisticated scams, it is essential to take rigorous security measures to safeguard your digital assets.

  1. Always verify the legitimacy of contracts and their functionality before approving any transaction.
  2. Avoid blindly accepting transactions, even if they appear to come from trusted sources.
  3. If possible, perform actions directly from the official project websites to ensure their authenticity.
  4. Be careful of emails and social media links, as they can be scams.
  5. Regularly monitor your wallet and transaction history for any unusual activity.
  6. Stay informed about the latest scams and best practices by following trusted blogs and actively engaging with the blockchain community.

By implementing these proactive measures, you can significantly reduce the risk of falling victim to advanced fraudulent schemes.

Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version