Binance smart chain and 0 dollars transactions attack

oliver_g

newbie

Activity: 9

Merit: 1

It is now very clearly visible that binance is involved in this is scam according, how they behave.

Quote from binance smart chain support:

Quote

Hello,

After reviewing the case, we have concluded that this was not due to a vulnerability in BSC.

1. The 0 transfer from your address 0xb410e3d622D1072eE3E1cc6cdc90120E657977F7 to scammer’s address 0x27feaafd9b46b74bee510a0a538615d2ff639871 was not a withdrawal but a call to the token contract’s https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56#writeContract transferFrom function. The transferFrom function does not require the private key of the sender address if the amount is 0. Anyone can call transferFrom with any address + 0 amount in token contract.

Note that this function is not specific to BEP20 but to ERC20 tokens as well. If you check this contract from Etherscan (and other token contracts) https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#writeContract, you will be able to find and call the same transferFrom function.

2. What the scammer has managed to achieve was to use the function to his advantage and target users who would copy the scam address from the previous transactions, trick them into thinking that it was a legit address and make a deposit to it.

We have raised this to our security team to check the possibility of tracking this scammer.
We are also thinking of possible solutions on how we can help users from falling victim.

Quote

Hi, I understand your frustration. I am actually aware of this case, this is not a vulnerability issue, and it is not an issue with Binance Smart Chain itself. It is the way ERC20 was designed, so it is happening on Ethereum and other EVM compatible blockchains as well. I honestly don't think there is anything we can do about it, it is just like a phishing attack on web2, not a vulnerability with the internet but more like a scammer attack on an open network. I would recommend next time making a transfer, specially a large transfer to verify the destination wallet address.

I just no not believe that it is impossible to fix this vulnerability.
People lost their money and binance do nothing, just wisecrack "you must double check deposit address".
Updated statistiks:
https://dune.com/opang/first-and-last-address-construction

Jaered

jr. member

Activity: 840

Merit: 4

This has happened to me before, like 6 months ago. I just copied wallet address from my Metamask transaction history and sent some fantom tokens to it. When I didn’t receive it, I had to double check the wallet address, only to realize it was a fake. Thankfully it wasn't up to $100 worth of tokens

o48o

legendary

Activity: 2856

Merit: 1130

Leading Crypto Sports Betting & Casino Platform

Quote from: MikkisJ on December 05, 2022, 06:30:13 PM

-cut-
Because it's a new attack. And there are people discussing it, you just don't even bother to check.
-cut-

I stand corrected, but bothering to check? You didn't provide any links to places where people were discussing about it. zasad@ did, about a week after my post that you are now answering to.

So yes, both of us now know that people are talking about it. I didn't see a reason to apologize afterwards because i was speaking with the information i had at the time and it would just be repeating what zasad@ typed.

MikkisJ

member

Activity: 126

Merit: 11

Quote from: kelonmusk on December 06, 2022, 12:20:58 AM

The OP lacks details explaining the question. According to my analysis, the scenario is like this (correct if you have another opinion):

First, the attacker steals your address's private key. (This is how he gets your token.) This is impossible.

Second, the attacker creates a transaction that transfers all of your tokens to his own address, which is similar to yours. (The attacker has now taken your token without giving you anything in return.)

In the third, the attacker sends a transaction of 0 tokens from your address to his own address. (This is what makes it look like you sent the token to the scammer yourself.)

You have to read other posts in the thread. Your scenario is wrong. The explanation is a few posts above.

Read this
https://bitcointalksearch.org/topic/m.61397716

kelonmusk

member

Activity: 198

Merit: 10

COMBO Network ex COCOS-BCX

The OP lacks details explaining the question. According to my analysis, the scenario is like this (correct if you have another opinion):

First, the attacker steals your address's private key. (This is how he gets your token.) This is impossible.

Second, the attacker creates a transaction that transfers all of your tokens to his own address, which is similar to yours. (The attacker has now taken your token without giving you anything in return.)

In the third, the attacker sends a transaction of 0 tokens from your address to his own address. (This is what makes it look like you sent the token to the scammer yourself.)

MikkisJ

member

Activity: 126

Merit: 11

Quote from: o48o on December 01, 2022, 09:10:02 AM

And please explain to me why i can't find info on something even related to this or why no one is talking about this?

Because it's a new attack. And there are people discussing it, you just don't even bother to check.

Quote

Can you also sign messages with other people's wallets while you are at it?

I told you, only 0 token transaction is possible without your keys. Signing is not possible. Why do you keep asking these stupid questions?

zasad@

legendary

Activity: 1736

Merit: 4270

Finally I found a good explanation for this attack

Address Poisoning Attack, A continuing Threat
https://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M
"As of December 2, the number of attacks on the BSC and ETH chains exceeded 290,000 and 40,000, respectively, and the number of independent addresses affected by the attacks exceeded 150,000 and 36,000, respectively."

You can say thank you to the user Ratimov
https://bitcointalksearch.org/topic/someone-sent-erc20-from-my-cold-storage-5425735
You need to be careful and check the addresses more carefully.

oliver_g

newbie

Activity: 9

Merit: 1

Quote from: JunkieMiner on December 02, 2022, 02:13:36 PM

I made a transaction today from my Trustwallet to my MEXC Account of around 300$, after the transaction occurs, at the same time 0 USDT has been transferred from my Trust wallet

Can you give link to your transaction on bscscan?

JunkieMiner

member

Activity: 412

Merit: 10

I made a transaction today from my Trustwallet to my MEXC Account of around 300$, after the transaction occurs, at the same time 0 USDT has been transferred from my Trust wallet account to that MEXC Account, which I had already sent the 300$. Strange! then I checked the transaction that was the same as my MEXC Account.

vv181

legendary

Activity: 1932

Merit: 1273

Interesting and out of mind!

The smart contract token implementation should not make this scenario possible, it is faulty at its finest. Logically, on the first hand, a system should not allow any transactions that is solely based on balance checking as mentioned on the StackExchange:

Quote from: oliver_g on December 02, 2022, 06:21:04 AM

I lost by this vulnerability 100000 dollars.
https://bitcointalksearch.org/topic/i-got-scammed-out-of-100000-dollars-by-fake-0-dollars-withdrawal-on-bsc-5425022

I wonder whether it is the norm to use the last withdrawal transaction address from your wallet. Because beforehand, I could not think of any users who do that. Nevertheless, alas! you are the one who gets scammed because of this faulty mechanism.

oliver_g

newbie

Activity: 9

Merit: 1

I lost by this vulnerability 100000 dollars.
https://bitcointalksearch.org/topic/i-got-scammed-out-of-100000-dollars-by-fake-0-dollars-withdrawal-on-bsc-5425022

MikkisJ

member

Activity: 126

Merit: 11

Quote from: o48o on December 01, 2022, 09:10:02 AM

Quote from: MikkisJ on December 01, 2022, 07:09:53 AM

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.
-cut-

Ok, i would liket to see anyone proving this as it sounds absurd. Even asking this makes me sound like a fool but:

Can someone make transaction from this address to literally any address without having private key for that address?

And please explain to me why i can't find info on something even related to this or why no one is talking about this? Can you also sign messages with other people's wallets while you are at it?

0 tokens can be sent by anyone. it is discussed here
https://ethereum.stackexchange.com/questions/140214/fake-0-token-transaction-on-bsc

MikkisJ

member

Activity: 126

Merit: 11

This address had USD transaction.
https://bscscan.com/address/0x568ea44e79f404186409fb743e2b25c3ef49426c#tokentxns

Here he sends 2751 dollars to somebody, maybe his second address, or exchange.
https://bscscan.com/tx/0xb5ae05099b8197f1a6dd01d02b27511f23b4ab4625a8356cb92c249fdd8b7b09

The receiver is
0x3A06a19ee040322edF79e259e9830B02a65020b6

Then the scammer sends 0 dollars from 0x568ea44e79f404186409fb743e2b25c3ef49426c. He doesn't have private keys. But because it's 0, the system accepts it.

The scammers sends 0 to his own address
0x2b63c5514da212b24433b7bfe3ccac2b41f020b6

This address is similar to
0x3a06a19ee040322edf79e259e9830b02a65020b6

So then the scammer hopes that the owner of 0x568ea44e79f404186409fb743e2b25c3ef49426c sends to 0x2b63c5514da212b24433b7bfe3ccac2b41f020b6 instead of 0x3a06a19ee040322edf79e259e9830b02a65020b6.

o48o

legendary

Activity: 2856

Merit: 1130

Leading Crypto Sports Betting & Casino Platform

Quote from: MikkisJ on December 01, 2022, 07:09:53 AM

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.
-cut-

Ok, i would liket to see anyone proving this as it sounds absurd. Even asking this makes me sound like a fool but:

Can someone make transaction from this address to literally any address without having private key for that address?

And please explain to me why i can't find info on something even related to this or why no one is talking about this? Can you also sign messages with other people's wallets while you are at it?

zasad@

legendary

Activity: 1736

Merit: 4270

Quote from: MikkisJ on December 01, 2022, 07:09:53 AM

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.

If someone can send 0 tokens from my address, then he can reset my wallet, because for each transaction you need to pay a commission.
This is not possible without a private key. I think that you do not understand how blockchain binance works.

Quote from: MikkisJ on December 01, 2022, 07:09:53 AM

The scammer creates address that is similar to address you sent tokens to. For example if you send 1000 Tether USD to you binance address ending with 12345, then the attacker send a minute later 0 Tether USD from your address to his address that looks like your binance address, it also ends with 12345. Scammer hopes you copy paste his address from bscscan and he hopes you send to his address instead of your binance address.

I chose a random address, try sending 0 tokens from this wallet.
https://bscscan.com/address/0xbc5703a67df4a335bbd7d2fb163d37ac5799268c

MikkisJ

member

Activity: 126

Merit: 11

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.

The scammer creates address that is similar to address you sent tokens to. For example if you send 1000 Tether USD to you binance address ending with 12345, then the attacker send a minute later 0 Tether USD from your address to his address that looks like your binance address, it also ends with 12345. Scammer hopes you copy paste his address from bscscan and he hopes you send to his address instead of your binance address.

vv181

legendary

Activity: 1932

Merit: 1273

As others have said, it is very unlikely to create a transaction without the address private key or prior interaction without a smart contract. I also don't see which address that mentioned being similar, maybe anyone could point me to any of it?

For the latter part, it makes no sense if the user truly intended to send or receive some token over some platform address, they won't be copying directly from the transaction history parts.

You should elaborate more if you suspect this is an attack and detail the process of how the user could get scammed.

abel1337

legendary

Activity: 2464

Merit: 1145

FOCUS

Just like others, I don't see how it is possible to send a token without an existing wallet / private key. Another point is it is hard for someone to create a wallet address that is similar to yours. Personally for years now, I haven't seen any wallet address that is nearly similar to my wallet address or I could mistakenly thought it was my wallet address. Let's say that what you are saying is true, I don't see any point that the hacker made this things to just earn 0 value transaction attack. Or maybe we are all wrong since I myself is also confused on how this works. I'm just thinking it's logically hard or nearly impossible.

serjent05

legendary

Activity: 2842

Merit: 1253

Cashback 15%

Quote from: zasad@ on November 30, 2022, 09:08:12 AM

Everything is very interesting, but I did not understand how a fraudster can create transactions without private keys.
It is very difficult to generate a similar address so that the first and last 3-5 digits are the same. Write more information about fraud.

If this is true, I believe this is the most sophisticated hack ever happening in a Wallet. Though I am still baffled by how this kind of hack happens, people gaining the access to your wallet.dat, if that was it then it is possible that the person who owned the address is a victim of the malware.

It can be 1 of the stated wallet-stealing malware like

InnfiRAT malware lurks in your machine to steal cryptocurrency wallet data
New ‘BHUNT’ malware is targeting crypto wallets of Indians
Everything you need to know about Mars Stealer
Bitcoin stealers: malware that raid crypto wallets

goaldigger

sr. member

Activity: 2310

Merit: 355

Is this like the hackers sending fake tokens on your account? If yes then probably this is their way to hack you so better not to make any transaction with it and just ignore it. There’s a lot of hackers out there, waiting for the opportunity so stay cautious. That is something suspicious though since you can only create transaction once you have the access on your wallet, which I think hackers still have no access, whatever it is be careful and protect your crypto as much as possible.

Topic: Binance smart chain and 0 dollars transactions attack (Read 243 times)