The safety and security of assets heavily make a difference in how much money the users make from their investments. And so here’s a security blog to stay aware and informed in Web3.
Cryptocurrencies are known for their volatility. That tells how much the asset’s price is influential in making investment decisions. There’s a catch for hackers to play with the prices and trick users for their gains.
Anyone who is a die-hard crypto investor would have faced a situation wherein crypto token prices are manipulated to create an illusion of pessimism or optimism. This would prompt users to buy them and later find they have fallen for spoofing.
So, what is spoofing? How to identify them and stay mindful to avoid seeing your money disappear in thin air? We shall have it all covered up in this blog.
‘Spoofing’ – In A Nutshell
A widely anticipated token with so much hype that the user is awaiting to buy is finally launched, bearing the same symbol and official logo. And with great excitement, the user wants to buy them.
But how is the user convinced of the authenticity of the tokens and proceeds to make a bulk purchase of them?
The user finds on the block explorer that the addresses associated with the token transfers are influencers/acclaimed personalities.
Here’s where the hacker manipulated the From address of the token, making it look like it is linked to a well-known influencer’s address. Seeing this, the users fondly engage in trading those tokens believing them to be the original ones.
Behind the scenes – How The Hacker Did This?
The transfer data in smart contracts can be easily modified. Therefore, by utilizing this, the attacker would change the From address to any other, though he/she is the one who initiates the transaction.
Let’s look at the token transfer in Etherscan for better clarity of spoof token transfers.
In this you can see Vitalik’s address 0xab5801a7d398351b8be11c439e05c5b3259aec9b has received zkSync tokens.
The tokens might be transferred from anyone to Vitalik’s address, which is no big deal.
But, in this, you can see that Vitalik sends out the tokens. So, this would lure users into thinking these tokens sent by Vitalik would be a real jackpot.
But that’s not true! Let’s find out what lies ahead!
Vitalik did not initiate the transfer, but the owner of the contract who initiated the transaction made it appear to have been sent by Vitalik. This is where the block explorer is spoofed to display the manipulated transaction, as the block explorer can only read events.
This can be found by looking into the transaction details, which clearly shows the initiator address (0x46e7cefdfa7513d19261d1afa7ec04c13e7acefc) proceeded with the transaction manipulating it to have been done by Vitalik.
On taking a closer look, you can find the input data is fed with Vitalik’s address. This can also be hard coded in the contract.
Further, on decompiling, we can find a non-standard transfer function which takes the input for From address and initiates the transfer event. And this is where the contract owner has entered Vitalik’s address to make it look like he is doing the transfer.
The Mishaps in Token Transfer
Here’s how the user mistakes the From address to be the address of the transaction initiator. The spoofing trick works to launch successful attacks on the user by leveraging the ERC-20 token’s design standard and Block explorer’s transparent data display.
The ERC-20 standard’s transfer and transferFrom functions facilitate adding any arbitrary address as the sender of tokens and that the From address is changed from the contract’s initiator address.
Block explorers like Etherscan display the From address rather than the tx initiator address, which results in the user bagging the valueless tokens.
Any Recent Event Of Spoof Token Spam?
The recent announcement of Ukraine’s “airdrop” for rewarding cryptocurrency donations by the user was posted on the Twitter handles.
Source: Ukraine / Україна on Twitter: “Airdrop confirmed. Snapshot will be taken tomorrow, on March 3rd, at 6pm Kyiv time (UTC/GMT +2 hours). Reward to follow! Follow subsequent news re Ukraine’s crypto donation campaign at @FedorovMykhailo” / Twitter
Soon after, Ethereum’s block explorer Etherscan displayed Ukraine’s official wallet holding 7 billion “Peaceful World” tokens for the secret crypto airdrop.
There were also activities from Ukraine’s official wallet sending tokens to the crypto wallet address that donated to Ukraine’s funds.
But there were no details of the official airdrop event following the initial post from the authorities(as in token type or the number of tokens to be launched, etc.)
Later, blockchain analysts confirmed that the peaceful world (WORLD) tokens might be a spoof, and Etherscan tagged them as “misleading” and marked them as spam.
This instance shows how Ukraine’s wallet address is being used to launch a fake airdrop– an instance of token spoofing.
How To Avoid Buying Spoof Tokens?
The best way is to dig into the transaction details and look into whether the From address and the initiator address of the token transfer is the same.
Although not all the token transfers initiated from different addresses can be necessarily a spoof, using the ‘Token ignore list’ feature in EtherScan that lists the suspicious token in this category, users can stay alert and be watchful of the tokens they interact with.
QuillAudits In Web3 Security
QuillAudits is a leading security firm offering protection to established and growing ventures by providing smart contract audit and due diligence services to stay vigilant against web3 hacks.
Get in touch with our experts for a free consultation in just under 10mins: