Due to the properties of the blockchain, if assets are stolen, there is practically no way to retrieve them, making security one of the most challenging concerns in the crypto world.
Did you find these anomalies?
There may be an unrecognized transaction from your wallet, such as sending or receiving 0 USDT or another quantity of tokens you never bought, swapped, or expected as an airdrop.
Similar to the airdrop, the transaction has no negative effect on your wallet. The scammer’s objective is to incorporate their address into your transaction history so that you will, at some point, copy their wallet address when sending a real transaction. This is known as Address Poisoning.
How should we protect our assets?
- Confirm the address carefully before each transfer. When the initial and last characters of an address are the same, it’s easy to copy-paste the wrong one.
- Prevent copying the address in your history before each transfer. There are many almost identical addresses here to confuse you.
Do you understand your behavior?
If you don’t know what you’re doing with every on-chain interaction or signature you make, your assets might be at risk. You frequently review your transaction history on BSCScan, but do you understand the distinctions between these two methods?
Here is a very detailed introduction to Transfer and Transfer From.
Transfer indicates that A sent B tokens. The transaction took place between addresses A and B. However, when B is a contract, this transaction method is called Transfer From. Although A granted B approval, the transfer did not occur (it was more like A writing a cheque to B).
During this process, there is a new kind of theft. The hacker accidentally obtains your signature when your wallet falls victim to a signature phishing trap. They then use other contracts that you have signed to move your assets.
Typically, wallet assets are taken when we reveal our private key or click on a scam link. Recently, another method of theft has become widespread on the market. This method moves your assets with your permission. Scammers can DECEIVE YOU INTO GIVING THEM ACCESS TO YOUR WALLET by convincing you to reveal your passphrase or by luring you to interact with a token or website where you will authorize contract permissions that remove assets from your wallet. For example:
How should we protect our assets?
- Don’t approve tokens with excessive tokens for any contacts. Only approve the number of tokens we need for one transfer. Just click Use default.
2. Periodically revoke your approval. https://revoke.cash/
3. Some Protocols iterate on token approval and unified token management, such as Permit2
Make sure to use regular DApps and keep as much control as possible over how many tokens are approved for contracts. Use tools to check permissions often for inspection.
- GitHub. (n.d.). useful-solidity-patterns/patterns/permit2 at main · dragonfly-xyz/useful-solidity-patterns. [online] Available at: https://github.com/dragonfly-xyz/useful-solidity-patterns/tree/main/patterns/permit2 [Accessed 10 Jun. 2023].
- Ethereum Stack Exchange. (n.d.). What is the difference between transfer() and trasnferfrom() and when should i use it. [online] Available at: https://ethereum.stackexchange.com/questions/98892/what-is-the-difference-between-transfer-and-trasnferfrom-and-when-should-i-u [Accessed 10 Jun. 2023].
- Ledger Live (2023). BEWARE OF ADDRESS POISONING SCAMS. [online] Ledger DOCs. Available at: https://support.ledger.com/hc/en-us/articles/8473509294365-Beware-of-address-poisoning-scams?docs=true [Accessed 10 Jun. 2023].
- help.myetherwallet.com. (n.d.). Seeing strange or unexpected transactions in your wallet | MyEtherWallet Help Center. [online] Available at: https://help.myetherwallet.com/en/articles/6873983-seeing-strange-or-unexpected-transactions-in-your-wallet [Accessed 10 Jun. 2023].
- Sniffer, S. (2023). someone lost $45k worth of USDT by Permit2-based phishing 53 minutes ago. Twitter. Available at: https://twitter.com/realScamSniffer/status/1662401670649892864?ref_src=twsrc^tfw|twcamp^tweetembed|twterm^1662401670649892864|twgr^|twcon^s1_&ref_url=notion%3A%2F%2Fwww.notion.so%2Fc47ee473d5e44c798eb61279cf9783a6%3Fv%3D17b45298517d41b58b78374c65476a46p%3Deb5cbaed669b4061bc637c9af3a5be5epm%3Ds [Accessed 10 Jun. 2023].
- mirror.xyz. (n.d.). What is Permit2? — The model, advantages, and Possible risks. [online] Available at: https://mirror.xyz/0xf9b0D66d701151366Dd32A6F0467ffF64f847156/51zh5eo-EZaopCJ8Xic7tqAGHGChEzxYWy5tWjA9zQI [Accessed 10 Jun. 2023].