With the development of Web3.0 technology, various attack methods such as Approval Phishing, Uniswap Permit2 Phishing, Claim Phishing and Modal Phishing have emerged. In response to these attacks, this article will detail how to identify and prevent these attacks to help users protect the security of their cryptocurrency assets.
Written by: Salus Insights
What is web3 phishing
Web3 Phishing is a form of online deception that targets cryptocurrency users by creating fake websites disguised as official websites to steal users' authorizations, signatures, and cryptocurrency assets. With the development of Web3.0 technology, new Web3 phishing scams are constantly emerging. Below, we will introduce new web3 phishing attack methods: Approval phishing, Uniswap permit2 phishing, Claim phishing, and Model phishing. It also provides effective measures to help users identify and prevent these attacks: preventive measures against Approval phishing, identify signatures in permit2, prevent Claim phishing attacks, and prevent modal phishing attacks.
1. Approval call attack
Most web3 phishing attacks are related to approval and increaseAllowance operations . Attackers deceive users into performing approval actions through forged emails or messages, fake websites or applications, social engineering, and malicious advertisements or pop-ups. Therefore, users need to revoke unnecessary authorizations. Revoking authorization may also be exploited by phishers.
How does a deauthorization phishing attack happen?
The attacker deployed a fake ERC-20 token contract and modified the approve function;
The attacker manually forged authorization for a large number of on-chain addresses and reminded users to cancel authorization ;
When the user receives the reminder and clicks to cancel the authorization, the transaction will be sent. This transaction will cause the token to be minted into the contract deployer's wallet.
increaseAllowance authorized phishing transaction link
https://arbiscan.io/tx/0xd598336fac79123952319c9cd9cc62aa275162ce5f39d08ccac0c5e6ef0538e5
"Revoke authorization" phishing transaction link https://etherscan.io/tx/0xd4d606caddebf185dc6902ffcec78f3cc915826e1c0e37319d407d01681980ab
2. Uniswap permit2 phishing attack
Uniswap permit2 allows sharing and managing token authorization across different applications. Users only need to complete the authorization and transaction in one transaction, reducing transaction gas costs and simplifying the transaction operation process. However, Permit 2 changes the user's operation to an off-chain signature. For users, off-chain signature is the easiest step to let down their guard, and the vast majority of people do not carefully check the content of the signature and do not understand the signature. content.
How does the Uniswap permit2 signature phishing attack occur?
- It is a crucial prerequisite for users to authorize the permissions of their tokens to the Permit 2 contract, which means that your signature during authorization has been exposed to the risk of phishing scams.
- The hacker obtained the user's signature. Based on this signature, the hacker performed the permit and transferFrom operations in the permit2 contract to transfer the user's assets.
- The hacker calls the permit function, in which the verify function and the _updateApproval function are mainly called. The verify function is used to verify user signatures. Execute the _updateApproval function after the verification is passed. The _updateApproval function is used to update authorization values.
The authorized party can call the transferFrom function to transfer the token to the specified address within the authorization limit.
Permit2 Phishing Transaction Link
https://etherscan.io/tx/0x1d8fa25f8f16d52cd4c5716e0cefd9b1cdbbbc060901cea223bab9de79b17ea3
3. Claim phishing attack
Claim phishing attacks trick users into providing personal information, login credentials, or access permissions by forging requests from a trusted entity. These Claim phishing contracts usually disguise themselves as zero addresses to deceive users' trust and use them to withdraw users' crypto assets.
How do Claim phishing attacks occur?
- Phishers deploy scam contracts and hub contracts, and create EOAs to receive stolen user funds. Scam contracts have the ability to steal users’ ETH, ERC20 tokens, and NFTs. The scam contract is not open source, but judging from the on-chain transaction data, the contract mainly contains two functions, Cliam and Multicall.
- When the Claim function is called, the token held by the victim will be transferred to the hub contract in an internal transaction.
- The Multicall function is used to transfer tokens that have been approved by the victim.
- The hub contract serves as a collection point for funds stolen from various scam contracts. The EOA created by the phisher can call the withdraw function in the hub contract to withdraw funds.
claim phishing transaction link
https://etherscan.io/tx/0xfe70f1b0a92e719bff0d291b7a79987e6e93ed129d52be8e8918c2b9acb1f3b0
4. Modal phishing attack
Certain user interface (UI) elements of Web 3.0 cryptocurrency wallets can be controlled by attackers to conduct phishing attacks. This attack method is called Modal Phishing. A typical modal design on a Web3.0 currency wallet usually provides the necessary information for the user to check the request such as a signature, as well as buttons to approve or deny the request.
Let’s take the Metamask wallet as an example to introduce how modal phishing attacks occur?
- The phisher deploys a phishing smart contract, which has a SecurityUpdate function with a payment function and allows the victim to transfer funds to the smart contract;
- Phishers also use SignatureReg to register the SecurityUpdate function signature as the human-readable string "SecurityUpdate".
- The victim connects the above phishing smart contract to the Metamask wallet;
- Metamask parses this phishing smart contract and uses the function signature bytes to query the corresponding function method, which is "SecurityUpdate".
- "SecurityUpdate" is presented in the Metamask Model, asking the user for confirmation. The user clicks the "SecurityUpdate" button and the phishing is successful. At this time, the phishing smart contract written by the phisher is executed and the victim's funds are transferred to the smart contract.
How to avoid web3 phishing attacks
1. Preventive measures against approval phishing
If we understand the specific content of the authorization operation, and query our authorization information and cancel authorization from the correct channels, we will effectively avoid phishing scams such as approval, increaseAllowance, and authorization revocation.
The following content can help users understand the specific content of authorization operations:
When approving, users need to consider the authorization amount, authorization currency and authorization address. By specifying the authorization amount and currency, users can limit the amount of assets that the authorized party can transfer from their account, preventing authorization of currencies unrelated to this interaction. Users also need to carefully check the authorized address and verify the address through multiple channels to ensure that the authorization is given to the correct address.
- Before formal authorization, users can simulate authorization transactions in the corresponding token contract to obtain authorization information.
- Find authorization-related functions such as approval or increaseAllowance, decreaseAllowance, etc., and fill in the following information to simulate an authorization transaction.
- After simulating authorization, you can see the specific information of the simulated transaction on Phalcon. From the Input Data, you can see the authorization address and authorization amount.
If the above results are what the user expects, formal authorization can be performed.
The following are the specific steps for tracking authorization information on the chain and revoking authorization information:
After completing the authorization, the user can regularly track the token approval status and can also revoke the relevant authorization. Etherscan, BscScan and Polygonscan blockchain browsers have token approval checker Function.
- Enter the address to view the historical authorization transactions of the address. The Revole button on the right side of each transaction can revoke this authorization.
- In the retrieved authorization transaction, you can view the authorization currency, authorization address and authorization amount.
2. Identify the signature in permit2
If we can understand, identify and carefully check the specific content of the signature, we can effectively avoid permit2 phishing scams.
The signature format usually contains the key fields of Owner, Spender, value, nonce and deadline, which respectively refer to:
1. Owner : represents the address of the token holder, used to specify the address that you want to authorize through signature.
2. Spender : Represents the address authorized to use the token and is used to specify the address you wish to authorize to.
3. value : represents the number of tokens that you want to authorize. You can specify a specific number of tokens to authorize to Spender.
4. nonce : a transaction counter representing the token holder, used to ensure that each authorized transaction has a unique identifier.
5. Deadline : Represents the validity deadline of the signature, used to limit the validity period of the signature. After expiration, the signature becomes invalid.
We recommend that users set specific values and deadlines according to their own needs instead of choosing the default maximum value.
Before calling the Uniswap permit2 contract, users can simulate the relevant authorization functions to understand the authorization details. Click the Simulate button.
Select the approve function, fill in the following parameters, and simulate the user authorizing the permit2 contract.
3. Prevent Claim phishing attacks
In order to avoid falling into a Claim phishing trap, we need to identify phishing contract addresses. They often disguise themselves as zero addresses to relax users' vigilance. Listed below are some Scam contracts used for claim phishing scams. When we are trading, we need to pay attention to the addresses preceded and followed by "0000".
https://etherscan.io/address/0x0000b514c923f55180fc12428e05695666620000
https://etherscan.io/address/0x0000438e0f00fc35dff19d0062608057a1d20000
https://etherscan.io/address/0x0000a4998724e52f0886edff693aca33f9900000
https://etherscan.io/address/0x000062accd1a9d62ef428ec86ca3dd4f45120000
https://etherscan.io/address/0x000038f1e0c4417a3650c3f9a9a920b2e52e0000
https://etherscan.io/address/0x000056c346441ef8065e56b0cddd43fdec100000
The essence of a Claim phishing attack is to obtain the user's token authorization, so we still need to pay attention to the authorization situation at all times.
4. Prevent modal phishing attacks
The root cause of modal phishing attacks is that the wallet application does not thoroughly verify the legitimacy of the presented UI elements. To avoid this kind of phishing attack, developers of wallet applications should always assume that incoming data from the outside is not trustworthy. Users can also check their signature information and authorization information as described above.
Summarize
In summary, we have introduced four new Web3 phishing attack methods in detail and provided corresponding identification and preventive measures. In addition to increasing users' vigilance, we also recommend that users have an in-depth understanding of authorization and signature related content, regularly check their authorization status, and revoke unnecessary authorizations in a timely manner. Additionally, we emphasize the importance of not signing haphazardly to prevent attackers from obtaining our signatures and misusing them.
