A new crypto scam drains users’ wallets without transaction authorization
A new scam circulating on Telegram allows an attacker to withdraw a victim's wallet without the victim needing to verify the transaction, according to user reports and blockchain data.
The hack only works on tokens that conform to the ERC-2612 token standard, which allows for “gasless” transfers, or wallet transfers that don't contain Ether (ETH). While the method does not require users to approve the transaction, it appears to require tricking the user into signing a message.
As more tokens implement the ERC-2612 standard, this particular attack may spread.
A user contacted by Cointelegraph said that more than $600 worth of Open Exchange (OX) tokens for the token's developer, OPNX, had gone missing after visiting a Telegram group. However, it was a phishing scam.
When entering a Telegram group, you are asked to press a button to connect your wallet to verify that it is not a bot. This opens a browser window and connects the wallet to the site, believing that a casual connection will not pose a risk to the funds. However, within a few minutes, all of the OX tokens had dried up. The victim never authorized a single transaction from the site, yet the money was stolen.
Cointelegraph visited the Telegram group and found that there is a fake Collab.land Telegram verification system. The actual collab.land system sends messages from the Telegram channel @collablandbot, with two lowercase “l”s. This fake version sent messages from @colIablandbot, has a capital “I” instead of a second lower case “l”. These two letters look very similar in the font that Telegram uses for its usernames.
Also, the “Link Wallet” button on the actual Collab. Landmail sends users to the URL connect.collab.info, without hyphens, while this fake version sends users to connect-collab.info, with hyphens instead.
Related: Fraudsters are targeting crypt users with new ‘Zero Value TransferFrom' trick.
According to blockchain data, the attacker used the “transferFrom” function on the OX token contract to withdraw the funds. In normal situations, this function can be called by a third party only if the owner first calls “Approve” through a separate transaction and sets a spending limit. Blockchain data has no evidence that the victim has made such a verification.
About an hour and 40 minutes before the transfer, the attacker put himself as “spend” and the victim's account as “owner” on the Ox Token contract with “license”. It can also specify the “expiry” or time when the license expires and the “value” or amount of tokens to be transferred. The “value” is set to an arbitrarily large number.
The authorization function is on lines 116-160 of the Token contract's ERC20.sol file. Allows third-party tokens to be transferred on behalf of the owner, but only if the owner delivers a signed message granting permission.
The setup may explain why the attacker was able to destroy the funds without deceiving the owner of traditional token authentication. However, this indicates that the attacker has tricked the owner into signing a message. After meeting this evidence, the victim reported that he tried to connect to the site a second time. At this time, he noticed that there was an “additional signing speech”, which he must have checked for the first time without realizing it.
The license function appears to be a new feature of some token contracts. It is being implemented as part of the ERC-2612 standard to allow trading in wallets that do not hold ETH. Web3 developer OpenZeppelin describes its functionality this way.
“[It] It can be used to change the account's ERC20 allowance (see IERC20.allowance) by providing a message signed by the account. In IERC20. Not relying on authentication, the token holder's account does not need to send transactions, and thus never needs to hold Ether.
Over time, this feature will allow wallet developers to create user-friendly wallets that hold only stablecoins. However, a Cointelegraph investigation found that fraudsters are using this feature to trick users into handing over their money. Web3 users should be aware that an attacker can destroy their funds even without performing a license transaction, as long as they sign a message giving the attacker this ability.
RELATED: Apple Still Hasn't Removed Fake Rabby Wallet App As Users Report It's Leaking
Cointelegraph has contacted the Colab.Land team for comment. Developers have confirmed that the bot and website involved in this attack do not connect to the real Collab.Land protocol. After we were informed about this scam, the project organizers reported the scam to Telegram.