On-chain sleuth ‘Scam Sniffer’ has revealed that hackers are abusing a piece of code on Ethereum to get access to users’ crypto wallets and bypass the blockchain’s built-in security alerts. The hacking technique called “address poisoning” has resulted in bad actors stealing crypto worth over $60 million in six months.
Scam Sniffer, who has already observed several cases of the exploitation, reported that until now 99,000 Ethereum users have fallen victim to the attack. In one instance, a user incurred losses that totaled up to $1.6 million.
Hackers are Exploiting ‘Create2’ Opcode to Create Malicious Smart Contracts and Wallets
The blockchain security expert noted that the problem lies in ‘Create2’, which is an opcode on the Ethereum network introduced with the ‘Constantinople’ upgrade in 2019. Unlike the original ‘Create’ opcode that generated new Ethereum addresses based on the creator’s original address and nonce, Create2 allows users and applications to predict the address of a smart contract before it is even deployed on the Ethereum blockchain.
Ethereum developers have been using the powerful tool to interact with smart contracts in an advanced and more flexible manner, it allows them to set parameters for contract addresses before they are calculated, have flexibility in contract deployment, support off-chain transactions, and make contracts compatible with decentralized applications (dApps) on Ethereum.
Although the opcode offers several benefits to both users and developers, its security implications were unaware of until now.
According to Scam Sniffer’s report, bad actors could abuse the Create2 mechanism to generate new contract addresses with no history of any malicious transactions, and this enables the wallet to bypass the blockchain’s security system. They noted that the hack takes place in two ways.
Hackers Prompt Victims to Sign off Malicious Transactions to Get Access to Wallets
Scam Sniffer explained that in the first method, the hacker creates a temporary contract address to trick a victim into signing off a malicious transaction. When the user interacts with the smart contract, they are prompted to “approve” a signature, where the attackers often disguise permissions to get access to the user’s wallet.
With Create, the security alerts that would have normally warned the user before they approve a transaction are bypassed. Such warnings are never shown when using Create2, and hackers are using it to their advantage.
Once a victim signs the transaction, the attacker deploys the malicious contract at the pre-calculated address and transfers all of the victim’s assets to it. This happens to be a non-reversible procedure, leaving the victim with no way to retrieve lost funds.
Scam Sniffer, along with blockchain security firm SlowMist, observed a case where a user lost $927,000 worth of GMX after they were tricked into signing a transfer contract that actually sent the tokens to a pre-computed address.
Bad Actors Generate Wallet Addresses Similar to Ones the Victim Recently Transacted With
The other Create2 abuse involves the bad actor generating a large number of wallet addresses and then picking those that match the legitimate ones belonging to a recipient known by their target victim. The scheme is known as ‘address poisoning’.
The trick here is to make the victim send crypto to the threat actor’s wallet all the while they think that they are sending funds to a known address.
During the scam, the hacker may also send the victim a small amount of crypto to get the address registered in their wallet’s history. This is done to increase the chances of the victim making the payment without verifying the address.
Over the past three months, Scam Sniffer recorded 11 cases where victims lost nearly $3 million in Ether (ETH) to the address poisoning scheme, with one user reportedly transferring $1.6 million worth of crypto to an address that resembled one they had recently transacted with.
Crypto Community Asks Users to Thoroughly Verify Recipient Addresses
The on-chain sleuth said that most of these Create2 abuse attacks went under the radar, helping the hackers siphon millions of dollars in crypto without anyone ever noticing. However, security experts and the Ethereum community have since taken notice and are starting to trace the bad actors abusing the network’s opcode.
Earlier this year, crypto wallet provider MetaMask warned users about a scam where hackers are using freshly generated addresses that match the ones victims recently sent money.
In August, a Binance operator mistakenly transferred $20 million in crypto to scammers who employed the ‘address poisoning’ trick. However, the error was quickly noticed by the exchange’s security team and they moved to freeze the recipient’s address.
It is always recommended to verify the recipient’s address thoroughly before making a crypto transfer. Users normally only check the first and last three to four characters of the wallet before approving the transaction. This could be a tragic mistake. Make it a habit to always confirm the address.