Blog

Understanding Spoof Tokens and How to Avoid Being Coaxed

spoof tokens

Table of Contents

Read Time: 5 minutes

The safety and security of assets heavily make a difference in how much money the users make from their investments. And so here’s a security blog to stay aware and informed in Web3.

Cryptocurrencies are known for their volatility. That tells how much the asset’s price is influential in making investment decisions. There’s a catch for hackers to play with the prices and trick users for their gains. 

Anyone who is a die-hard crypto investor would have faced a situation wherein crypto token prices are manipulated to create an illusion of pessimism or optimism. This would prompt users to buy them and later find they have fallen for spoofing

So, what is spoofing? How to identify them and stay mindful to avoid seeing your money disappear in thin air? We shall have it all covered up in this blog. 

‘Spoofing’ – In A Nutshell

A widely anticipated token with so much hype that the user is awaiting to buy is finally launched, bearing the same symbol and official logo. And with great excitement, the user wants to buy them.

But how is the user convinced of the authenticity of the tokens and proceeds to make a bulk purchase of them? 

The user finds on the block explorer that the addresses associated with the token transfers are influencers/acclaimed personalities. 

Here’s where the hacker manipulated the From address of the token, making it look like it is linked to a well-known influencer’s address. Seeing this, the users fondly engage in trading those tokens believing them to be the original ones. 

Behind the scenes – How The Hacker Did This?

The transfer data in smart contracts can be easily modified. Therefore, by utilizing this, the attacker would change the From address to any other, though he/she is the one who initiates the transaction.

Let’s look at the token transfer in Etherscan for better clarity of spoof token transfers. 

In this you can see Vitalik’s address 0xab5801a7d398351b8be11c439e05c5b3259aec9b has received zkSync tokens. 

The tokens might be transferred from anyone to Vitalik’s address, which is no big deal. 

But, in this, you can see that Vitalik sends out the tokens. So, this would lure users into thinking these tokens sent by Vitalik would be a real jackpot. 

But that’s not true! Let’s find out what lies ahead!

Vitalik did not initiate the transfer, but the owner of the contract who initiated the transaction made it appear to have been sent by Vitalik. This is where the block explorer is spoofed to display the manipulated transaction, as the block explorer can only read events. 

This can be found by looking into the transaction details, which clearly shows the initiator address (0x46e7cefdfa7513d19261d1afa7ec04c13e7acefc) proceeded with the transaction manipulating it to have been done by Vitalik.  

On taking a closer look, you can find the input data is fed with Vitalik’s address. This can also be hard coded in the contract.

Further, on decompiling, we can find a non-standard transfer function which takes the input for From address and initiates the transfer event. And this is where the contract owner has entered Vitalik’s address to make it look like he is doing the transfer.

The Mishaps in Token Transfer

Here’s how the user mistakes the From address to be the address of the transaction initiator. The spoofing trick works to launch successful attacks on the user by leveraging the ERC-20 token’s design standard and Block explorer’s transparent data display. 

The ERC-20 standard’s transfer and transferFrom functions facilitate adding any arbitrary address as the sender of tokens and that the From address is changed from the contract’s initiator address. 

Block explorers like Etherscan display the From address rather than the tx initiator address, which results in the user bagging the valueless tokens. 

Any Recent Event Of Spoof Token Spam?

The recent announcement of Ukraine’s “airdrop” for rewarding cryptocurrency donations by the user was posted on the Twitter handles.

Source: Ukraine / Україна on Twitter: “Airdrop confirmed. Snapshot will be taken tomorrow, on March 3rd, at 6pm Kyiv time (UTC/GMT +2 hours). Reward to follow! Follow subsequent news re Ukraine’s crypto donation campaign at @FedorovMykhailo” / Twitter

Soon after, Ethereum’s block explorer Etherscan displayed Ukraine’s official wallet holding 7 billion “Peaceful World” tokens for the secret crypto airdrop. 

There were also activities from Ukraine’s official wallet sending tokens to the crypto wallet address that donated to Ukraine’s funds. 

But there were no details of the official airdrop event following the initial post from the authorities(as in token type or the number of tokens to be launched, etc.)

Later, blockchain analysts confirmed that the peaceful world (WORLD) tokens might be a spoof, and Etherscan tagged them as “misleading” and marked them as spam. 

This instance shows how Ukraine’s wallet address is being used to launch a fake airdrop– an instance of token spoofing

How To Avoid Buying Spoof Tokens?

The best way is to dig into the transaction details and look into whether the From address and the initiator address of the token transfer is the same.

Although not all the token transfers initiated from different addresses can be necessarily a spoof, using the ‘Token ignore list’ feature in EtherScan that lists the suspicious token in this category, users can stay alert and be watchful of the tokens they interact with. 

QuillAudits In Web3 Security 

QuillAudits is a leading security firm offering protection to established and growing ventures by providing smart contract audit and due diligence services to stay vigilant against web3 hacks. 

Get in touch with our experts for a free consultation in just under 10mins: 

https://t.me/quillaudits_official

495 Views

Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *

Trending

Before we loose you with the depth of work we have done under this series,
we would like to invite to our Community3.0_IRL_Blr meetup happening this Sunday, 4th Dec at 12 PM.

NO ONE DIG DEEP THE COMMUNITY LIKE WE DO💪

RSVP now- https://lu.ma/Community3.0_IRL_Bangalore_CFK

We are delighted to announce that our #smartcontract audit from @QuillAudits is now complete.

The premier #Web3 due diligence application has secured its own due diligence!

Full details are attached below👇

gm fam 🫶

on the eve of the Epic Web3 Summit we'd like to express the gratitude to our wonderful partners that we've got so far.

special thanks to those who's got our back:

@metaintro
@inxy_io
@QuillAudits
@Crypto_Runner
@degoverned

⭐️ DM if you wanna partner up with us!

#WAGSI🛡️
In 2022, bridge🌉 hacks resulted in the theft of more than $1.3 billion🤯

👉Here are the top 6 #DeFi Cross-Chain Bridge Attacks of 2022

Like❤️, RT🔁 & Follow @QuillAudits for more updates.

#Web3 #Blockchain #blockchainsecurity #samrtcontractaudit #Hacks

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+