Scammers are targeting crypto users with new ‘zero value TransferFrom’ trick

Published at: Feb. 7, 2023

Data from Etherscan shows that some crypto scammers are targeting users with a new trick that allows them to confirm a transaction from the victim’s wallet, but without having the victim’s private key. The attack can only be performed for transactions of 0 value. However, it may cause some users to accidentally send tokens to the attacker as a result of cutting and pasting from a hijacked transaction history.

Blockchain security firm SlowMist discovered the new technique in December and revealed it in a blog post. Since then, both SafePal and Etherscan have adopted mitigation techniques to limit its effect on users, but some users may still be unaware of its existence.

Recently we have received reports from the community of a new type of scam: Zero Transfer Scam. Be careful if you see suspicious 0 transfer in your wallet record:1/10

— Veronica (@V_SafePal) December 14, 2022

According to the post from SlowMist, the scam works by sending a transaction of zero tokens from the victim’s wallet to an address that looks similar to one that the victim had previously sent tokens to.

For example, if the victim sent 100 coins to an exchange deposit address, the attacker may send zero coins from the victim’s wallet to an address that looks similar but that is, in fact, under the control of the attacker. The victim may see this transaction in their transaction history and conclude that the address shown is the correct deposit address. As a result, they may send their coins directly to the attacker.

Sending a transaction without owner permission 

Under normal circumstances, an attacker needs the victim’s private key to send a transaction from the victim’s wallet. But Etherscan’s “contract tab” feature reveals that there is a loophole in some token contracts that can allow an attacker to send a transaction from any wallet whatsoever.

For example, the code for USD Coin (USDC) on Etherscan shows that the “TransferFrom” function allows any person to move coins from another person’s wallet as long as the amount of coins they are sending is less than or equal to the amount allowed by the owner of the address.

This usually means that an attacker can’t make a transaction from another person’s address unless the owner approves an allowance for them.

However, there is a loophole in this restriction. The allowed amount is defined as a number (called the “uint256 type”), which means it is interpreted as zero unless it is specifically set to some other number. This can be seen in the “allowance” function.

As a result, as long as the value of the attacker’s transaction is less than or equal to zero, they can send a transaction from absolutely any wallet they want, without needing the private key or prior approval from the owner.

USDC isn’t the only token that allows this to be done. Similar code can be found in most token contracts. It can even be found in the example contracts linked from the Ethereum Foundation’s official website.

Examples of the zero value transfer scam

Etherscan shows that some wallet addresses are sending thousands of zero-value transactions per day from various victims’ wallets without their consent.

For example, an account labeled Fake_Phishing7974 used an unverified smart contract to perform more than 80 bundles of transactions on Jan. 12, with each bundle containing 50 zero-value transactions for a total of 4,000 unauthorized transactions in one day.

Misleading addresses

Looking at each transaction more closely reveals a motive for this spam: The attacker is sending zero-value transactions to addresses that look very similar to ones the victims previously sent funds to.

For example, Etherscan shows that one of the user addresses targeted by the attacker is the following:

0x20d7f90d9c40901488a935870e1e80127de11d74.

On Jan. 29, this account authorized 5,000 Tether (USDT) to be sent to this receiving address:

0xa541efe60f274f813a834afd31e896348810bb09.

Immediately afterwards, Fake_Phishing7974 sent a zero-value transaction from the victim’s wallet to this address:

0xA545c8659B0CD5B426A027509E55220FDa10bB09.

The first five characters and the last six characters of these two receiving addresses are exactly the same, but the characters in the middle are all completely different. The attacker may have intended for the user to send USDT to this second (fake) address instead of the real one, giving their coins to the attacker.

In this particular case, it appears that the scam did not work, as Etherscan does not show any transactions from this address to one of the fake addresses created by the scammer. But given the volume of zero-value transactions done by this account, the plan may have worked in other cases.

Wallets and block explorers may vary significantly as to how or whether they show misleading transactions.

Wallets

Some wallets may not show the spam transactions at all. For example, MetaMask shows no transaction history if it is reinstalled, even if the account itself has hundreds of transactions on the blockchain. This implies that it stores its own transaction history rather than pulling the data from the blockchain. This should prevent the spam transactions from showing up in the wallet’s transaction history.

On the other hand, if the wallet pulls data directly from the blockchain, the spam transactions may show up in the wallet’s display. In a Dec. 13 announcement on Twitter, SafePal CEO Veronica Wong warned SafePal users that its wallet may display the transactions. In order to mitigate against this risk, she said that SafePal was altering the way addresses are displayed in newer versions of its wallet so as to make it easier for users to inspect addresses.

(6/10) Upon this, we have taken actions:1) In the latest V3.7.3 update, we adjusted the length of the wallet address displayed in the transaction history. The first and last 10 digits of the wallet address will be displayed in default, for the sake of address examination

— Veronica (@V_SafePal) December 14, 2022

In December, one user also reported that their Trezor wallet was displaying misleading transactions.

Cointelegraph reached out through email to Trezor developer SatoshiLabs for comment. In response, a representative stated that the wallet does pull its transaction history directly from the blockchain “every time users plug in their Trezor wallet.”

However, the team is taking steps to protect users from the scam. In an upcoming Trezor Suite update, the software will “flag the suspicious zero-value transactions so that users are alerted that such transactions are potentially fraudulent.” The company also stated that the wallet always displays the full address of every transaction and that they “strongly recommend that users always check the full address, not just the first and last characters.”

Block explorers

Aside from wallets, block explorers are another type of software that can be used to view transaction history. Some explorers may display these transactions in such a way as to inadvertently mislead users, just as some wallets do.

To mitigate against this threat, Etherscan has begun graying out zero-value token transactions that aren’t initiated by the user. It also flags these transactions with an alert that says, “This is a zero-value token transfer initiated by another address,” as evidenced by the image below.

Other block explorers may have taken the same steps as Etherscan to warn users about these transactions, but some may not have implemented these steps yet.

Tips for avoiding the 'zero-value TransferFrom' trick

Cointelegraph reached out to SlowMist for advice on how to avoid falling prey to the “zero-value TransferFrom” trick.

A representative from the company gave Cointelegraph a list of tips for avoiding becoming a victim of the attack:

"Exercise caution and verify the address before executing any transactions.""Utilize the whitelist feature in your wallet to prevent sending funds to the wrong addresses.""Stay vigilant and informed. If you encounter any suspicious transfers, take the time to investigate the matter calmly to avoid falling victim to scammers.""Maintain a healthy level of skepticism, always stay cautious and vigilant."

Judging from this advice, the most important thing for crypto users to remember is to always check the address before sending crypto to it. Even if the transaction record seems to imply that you’ve sent crypto to the address before, this appearance may be deceiving.

Tags
Related Posts
Immunefi partners with Binance Smart Chain on bug bounties to secure BSC projects
Immunefi, a security service outfit that specialized in decentralized finance (DeFi) projects, has inked a collaboration with the Binance Smart Chain. According to a release issued on Friday, Immunefi will work in collaboration with BSC to improve the security of projects on the Binance chain. As part of the partnership, ethical hackers who take part in a campaign to discover vulnerabilities in BSC-based projects will earn rewards. As a security outfit, Immunefi has reportedly paid more than $3 million in bug bounties to ethical hackers. Major BSC protocols such as PancakeSwap, DODO, and Zapper among others are already deploying the …
Blockchain / July 9, 2021
Blockchain Voting is Vulnerable to Hacking and Low-Quality Data: Research
Nir Kshetri, a professor of management at the University of North Carolina, has suggested that before blockchain-based voting can be considered safe and trustworthy, some major issues must be resolved. In an article published on Oct. 18, Kshetri claims that “small-scale tests run so far have identified problems and vulnerabilities in the digital systems and government administrative procedures” that must be solved before adopting the technology. Hard to audit Per the report, such systems need to verify voters’ identities — often by analyzing a portrait photo or video with facial recognition software. According to Kshetri, contemporary voting tokens are anonymous …
Blockchain / Oct. 19, 2019
World Economic Forum Releases Report About Blockchain Cybersecurity
The World Economic Forum (WEF) released a report about blockchain cybersecurity on April 5. The report points out that most data breaches do not result from the level of skill of the hackers, but instead happen because appropriate security measures often are not implemented. The WEF further claims that while attackers do compromise blockchains themselves, they much more often try to exploit or compromise their deployment. The WEF references the data breach of retail giant Target, which lead to both the CEO and chief information officer being fired, also mentioning that the director of the United States Government Office of …
Blockchain / April 8, 2019
Cross-chains in the crosshairs: Hacks call for better defense mechanisms
2022 has been a lucrative year for hackers preying on the nascent Web3 and decentralized finance (DeFi) spaces, with more than $2 billion worth of cryptocurrency fleeced in several high-profile hacks to date. Cross-chain protocols have been particularly hard hit, with Axie Infinity’s $650 million Ronin Bridge hack accounting for a significant portion of stolen funds this year. The pillaging continued into the second half of 2022 as cross-chain platform Nomad saw $190 million drained from wallets. The Solana ecosystem was the next target, with hackers gaining access to private keys of some 8000 wallets that resulted in $5 million …
Blockchain / Aug. 11, 2022
Crypto app targeting SharkBot malware resurfaces on Google app store
A newly upgraded version of a banking and crypto app targeting malware has recently resurfaced on the Google Play store, now with the capability to steal cookies from account logins and bypass fingerprint or authentication requirements. A warning about the new version of the malware was shared by malware analyst Alberto Segura and treat intelligence analyst Mike Stokkel on Twitter accounts on Sept. 2, sharing their co-authored article on Fox IT’s blog. We discovered a new version of #SharkbotDropper in Google Play used to download and install #Sharkbot! The found droppers were used in a campaign targeting UK and IT! …
Blockchain / Sept. 5, 2022