A group of hackers has managed to steal more than $60 million in cryptocurrencies from more than 100,000 users, taking advantage of a vulnerability in the smart contracts of some websites. The attack, which was discovered by cyber research company Scam Sniffer, involves generating fake payment addresses that trick users' wallets into believing they are sending their funds to a legitimate address.
According to the Scam Sniffer report, hackers use the CREATE2 function, which allows the creation of smart contracts with deterministic addresses, that is, they can be predicted from certain parameters. This has some advantages, such as the ability to create smart contracts without deploying them on the blockchain, saving costs and time.
However, it also has a risk, and that is that if someone knows the parameters used to generate the address of a smart contract, they can create another smart contract with the same address, but with a different code called "address collision attack". In this way, when the user connects their wallet to a fake website, which pretends to be an exchange or a DeFi platform, and authorizes a transaction, a payment address different from the original one is generated and the cryptocurrencies are sent to the address. controlled by hackers.
The most surprising thing about this attack is that the most popular wallets, such as MetaMask, do not detect any anomalies or alert the user that it is a malicious transaction. This is because the CREATE2 function is not malicious code in itself, but is used maliciously by hackers. Thus, the transaction appears completely legal and goes unnoticed by security controls.
To avoid this type of vulnerability and falling into these types of scams, it is essential to always verify the addresses of smart contracts before interacting with them and use reliable sources to obtain the correct addresses. It is also useful to use code analysis and auditing tools to detect possible address collisions or malicious code in smart contracts. Also avoid connecting your wallets to websites of dubious origin and use trusted wallets (although I am not going to make the mistake of recommending one as it is a personal decision).
Those responsible for this attack are anonymous hackers, however, it is likely that it will soon be attributed, as always, to North Korea or the Lazarus Group, perhaps Chinese or Russian hackers (that's sarcasm), but only time will tell. In any case, it is important that you take steps to protect your assets.
TOOLS, PLATFORMS & APPLICATIONS
StormGain - Trading - They can start without investment, capital is acquired for with the Bitcoin Cloud Miner
- Trading - Called "The People's Exchange", it places a strong emphasis on social trading and offers its clients extensive features: new user rewards, demo account, high leverage, spot trading, standard and perpetual futures, grid trading, copy feed , etc.
QuantFury (Invite Code: JRRU2593) - Trading - Join using my invite code: JRRU2593 and we will both receive a free share like AAPL or UBER, or crypto like BTC or ETH (up to $250). Trade and invest with no commissions or borrowing fees at real-time spot prices from the NYSE, Nasdaq, CME, Bats, BINANCE and COINBASE exchanges. With a good marketing management you have the possibility of obtaining passive profits without operating in the market.
- Trading - They offer different bonuses.
AddmeFast - Earn daily Crypto. Promote and increase the sources of traffic, visibility, reach and reputation of your social networks.
Bitcoin Spark - ICO - Initial Coin Offerings.
Bitrefill - Living with crypto, a philosophy of financial freedom. Travel, play, eat and live with BTC.
Publish0x - Earn daily for reading or writing articles and interacting with publications.
