In recent times, fraudsters have become more sophisticated in their methods, exploiting legitimate blockchain protocols to steal cryptocurrency from unsuspecting users. This article, based on research by Dikla Barda, Roman Ziakin, and Oded Vanunu from Check Point’s Threat Intel blockchain system, dives into the intricate ways scammers manipulate platforms like Uniswap and Safe.global.
Uniswap Protocol: Uniswap, launched in 2018, is the most popular decentralized exchange for swapping cryptocurrency tokens. It has over $1.8 trillion in trading volume and is the fifth largest application on Ethereum with over $4 billion in total value locked (TVL). The scam involves embedding malicious activities within the multicall aggregate function on Uniswap V3 contracts. This function allows multiple transactions in a single call, making it easier for scammers to disguise their true intentions.
Safe.global: Safe.global (formerly Gnosis Safe) is a smart contract wallet with 69 million transactions and $100 billion in total assets. Attackers exploit the GnosisSafeProxy contract to create seemingly legitimate contracts for fraudulent schemes. This manipulation enhances their credibility and makes detection challenging.
The Technical Side: When users receive a transaction request from an address like 0x5BA1e12693Dc8F9c48aAD8770482f4739bEeD696, they might see it as legitimate because it’s associated with Uniswap. The aggregate function in the multicall Uniswap contract allows attackers to perform multiple operations, including fund transfers from victims’ wallets. Unsuspecting users might approve transactions thinking they are standard, thus granting permission for asset transfers directly to the attackers.
Real-Life Example: In a real example, the Uniswap v3 multicall contract was used to execute the transferFrom function, allowing scammers to withdraw funds from a victim’s wallet. The attacker gets prior approval to withdraw funds, then uses the aggregate function to transfer the victim’s money to their wallet.
Gnosis Safe: The Gnosis Safe framework is also exploited. Attackers establish a legitimate proxy contract and trick victims into approving fraudulent transactions, enabling the Gnosis Safe Proxy contract to manage tokens from the victim’s wallet. They then use the execTransaction function to conduct multiple transactions, bundling them into a single operation via the Safe MultiSend contract.
Safeguarding Your Assets: To protect your digital assets:
- Verify the legitimacy of contracts before approving transactions.
- Avoid blindly accepting transactions, even from trusted sources.
- Perform actions directly from official project websites.
- Be cautious with emails and links on social media.
- Regularly monitor your wallet for unusual activity.
- Stay informed about the latest scams and best practices.
By implementing these measures, you can significantly reduce the risk of falling victim to these advanced scams.
