Binance smart chain and 0 dollars transactions attack

oliver_g

newbie

Activity: 9

Merit: 1

It is now very clearly visible that binance is involved in this is scam according, how they behave.

Quote from binance smart chain support:

Quote

Hello,

After reviewing the case, we have concluded that this was not due to a vulnerability in BSC.

1. The 0 transfer from your address 0xb410e3d622D1072eE3E1cc6cdc90120E657977F7 to scammer’s address 0x27feaafd9b46b74bee510a0a538615d2ff639871 was not a withdrawal but a call to the token contract’s https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56#writeContract transferFrom function. The transferFrom function does not require the private key of the sender address if the amount is 0. Anyone can call transferFrom with any address + 0 amount in token contract.

Note that this function is not specific to BEP20 but to ERC20 tokens as well. If you check this contract from Etherscan (and other token contracts) https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#writeContract, you will be able to find and call the same transferFrom function.

2. What the scammer has managed to achieve was to use the function to his advantage and target users who would copy the scam address from the previous transactions, trick them into thinking that it was a legit address and make a deposit to it.

We have raised this to our security team to check the possibility of tracking this scammer.
We are also thinking of possible solutions on how we can help users from falling victim.

Quote

Hi, I understand your frustration. I am actually aware of this case, this is not a vulnerability issue, and it is not an issue with Binance Smart Chain itself. It is the way ERC20 was designed, so it is happening on Ethereum and other EVM compatible blockchains as well. I honestly don't think there is anything we can do about it, it is just like a phishing attack on web2, not a vulnerability with the internet but more like a scammer attack on an open network. I would recommend next time making a transfer, specially a large transfer to verify the destination wallet address.

I just no not believe that it is impossible to fix this vulnerability.
People lost their money and binance do nothing, just wisecrack "you must double check deposit address".
Updated statistiks:
https://dune.com/opang/first-and-last-address-construction

Jaered

jr. member

Activity: 840

Merit: 4

This has happened to me before, like 6 months ago. I just copied wallet address from my Metamask transaction history and sent some fantom tokens to it. When I didn’t receive it, I had to double check the wallet address, only to realize it was a fake. Thankfully it wasn't up to $100 worth of tokens

o48o

legendary

Activity: 3038

Merit: 1166

Leading Crypto Sports Betting & Casino Platform

Quote from: MikkisJ on December 05, 2022, 05:30:13 PM

-cut-
Because it's a new attack. And there are people discussing it, you just don't even bother to check.
-cut-

I stand corrected, but bothering to check? You didn't provide any links to places where people were discussing about it. zasad@ did, about a week after my post that you are now answering to.

So yes, both of us now know that people are talking about it. I didn't see a reason to apologize afterwards because i was speaking with the information i had at the time and it would just be repeating what zasad@ typed.

MikkisJ

member

Activity: 126

Merit: 11

Quote from: kelonmusk on December 05, 2022, 11:20:58 PM

The OP lacks details explaining the question. According to my analysis, the scenario is like this (correct if you have another opinion):

First, the attacker steals your address's private key. (This is how he gets your token.) This is impossible.

Second, the attacker creates a transaction that transfers all of your tokens to his own address, which is similar to yours. (The attacker has now taken your token without giving you anything in return.)

In the third, the attacker sends a transaction of 0 tokens from your address to his own address. (This is what makes it look like you sent the token to the scammer yourself.)

You have to read other posts in the thread. Your scenario is wrong. The explanation is a few posts above.

Read this
https://bitcointalksearch.org/topic/m.61397716

kelonmusk

member

Activity: 198

Merit: 10

COMBO Network ex COCOS-BCX

The OP lacks details explaining the question. According to my analysis, the scenario is like this (correct if you have another opinion):

First, the attacker steals your address's private key. (This is how he gets your token.) This is impossible.

Second, the attacker creates a transaction that transfers all of your tokens to his own address, which is similar to yours. (The attacker has now taken your token without giving you anything in return.)

In the third, the attacker sends a transaction of 0 tokens from your address to his own address. (This is what makes it look like you sent the token to the scammer yourself.)

MikkisJ

member

Activity: 126

Merit: 11

Quote from: o48o on December 01, 2022, 08:10:02 AM

And please explain to me why i can't find info on something even related to this or why no one is talking about this?

Because it's a new attack. And there are people discussing it, you just don't even bother to check.

Quote

Can you also sign messages with other people's wallets while you are at it?

I told you, only 0 token transaction is possible without your keys. Signing is not possible. Why do you keep asking these stupid questions?

zasad@

legendary

Activity: 1932

Merit: 4602

Buy on Amazon with Crypto

Finally I found a good explanation for this attack

Address Poisoning Attack, A continuing Threat
https://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M
"As of December 2, the number of attacks on the BSC and ETH chains exceeded 290,000 and 40,000, respectively, and the number of independent addresses affected by the attacks exceeded 150,000 and 36,000, respectively."

You can say thank you to the user Ratimov
https://bitcointalksearch.org/topic/someone-sent-erc20-from-my-cold-storage-5425735
You need to be careful and check the addresses more carefully.

oliver_g

newbie

Activity: 9

Merit: 1

Quote from: JunkieMiner on December 02, 2022, 01:13:36 PM

I made a transaction today from my Trustwallet to my MEXC Account of around 300$, after the transaction occurs, at the same time 0 USDT has been transferred from my Trust wallet

Can you give link to your transaction on bscscan?

JunkieMiner

member

Activity: 412

Merit: 10

I made a transaction today from my Trustwallet to my MEXC Account of around 300$, after the transaction occurs, at the same time 0 USDT has been transferred from my Trust wallet account to that MEXC Account, which I had already sent the 300$. Strange! then I checked the transaction that was the same as my MEXC Account.

vv181

legendary

Activity: 1932

Merit: 1273

Interesting and out of mind!

The smart contract token implementation should not make this scenario possible, it is faulty at its finest. Logically, on the first hand, a system should not allow any transactions that is solely based on balance checking as mentioned on the StackExchange:

Quote from: oliver_g on December 02, 2022, 05:21:04 AM

I lost by this vulnerability 100000 dollars.
https://bitcointalksearch.org/topic/i-got-scammed-out-of-100000-dollars-by-fake-0-dollars-withdrawal-on-bsc-5425022

I wonder whether it is the norm to use the last withdrawal transaction address from your wallet. Because beforehand, I could not think of any users who do that. Nevertheless, alas! you are the one who gets scammed because of this faulty mechanism.

oliver_g

newbie

Activity: 9

Merit: 1

I lost by this vulnerability 100000 dollars.
https://bitcointalksearch.org/topic/i-got-scammed-out-of-100000-dollars-by-fake-0-dollars-withdrawal-on-bsc-5425022

MikkisJ

member

Activity: 126

Merit: 11

Quote from: o48o on December 01, 2022, 08:10:02 AM

Quote from: MikkisJ on December 01, 2022, 06:09:53 AM

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.
-cut-

Ok, i would liket to see anyone proving this as it sounds absurd. Even asking this makes me sound like a fool but:

Can someone make transaction from this address to literally any address without having private key for that address?

And please explain to me why i can't find info on something even related to this or why no one is talking about this? Can you also sign messages with other people's wallets while you are at it?

0 tokens can be sent by anyone. it is discussed here
https://ethereum.stackexchange.com/questions/140214/fake-0-token-transaction-on-bsc

MikkisJ

member

Activity: 126

Merit: 11

This address had USD transaction.
https://bscscan.com/address/0x568ea44e79f404186409fb743e2b25c3ef49426c#tokentxns

Here he sends 2751 dollars to somebody, maybe his second address, or exchange.
https://bscscan.com/tx/0xb5ae05099b8197f1a6dd01d02b27511f23b4ab4625a8356cb92c249fdd8b7b09

The receiver is
0x3A06a19ee040322edF79e259e9830B02a65020b6

Then the scammer sends 0 dollars from 0x568ea44e79f404186409fb743e2b25c3ef49426c. He doesn't have private keys. But because it's 0, the system accepts it.

The scammers sends 0 to his own address
0x2b63c5514da212b24433b7bfe3ccac2b41f020b6

This address is similar to
0x3a06a19ee040322edf79e259e9830b02a65020b6

So then the scammer hopes that the owner of 0x568ea44e79f404186409fb743e2b25c3ef49426c sends to 0x2b63c5514da212b24433b7bfe3ccac2b41f020b6 instead of 0x3a06a19ee040322edf79e259e9830b02a65020b6.

o48o

legendary

Activity: 3038

Merit: 1166

Leading Crypto Sports Betting & Casino Platform

Quote from: MikkisJ on December 01, 2022, 06:09:53 AM

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.
-cut-

Ok, i would liket to see anyone proving this as it sounds absurd. Even asking this makes me sound like a fool but:

Can someone make transaction from this address to literally any address without having private key for that address?

And please explain to me why i can't find info on something even related to this or why no one is talking about this? Can you also sign messages with other people's wallets while you are at it?

zasad@

legendary

Activity: 1932

Merit: 4602

Buy on Amazon with Crypto

Quote from: MikkisJ on December 01, 2022, 06:09:53 AM

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.

If someone can send 0 tokens from my address, then he can reset my wallet, because for each transaction you need to pay a commission.
This is not possible without a private key. I think that you do not understand how blockchain binance works.

Quote from: MikkisJ on December 01, 2022, 06:09:53 AM

The scammer creates address that is similar to address you sent tokens to. For example if you send 1000 Tether USD to you binance address ending with 12345, then the attacker send a minute later 0 Tether USD from your address to his address that looks like your binance address, it also ends with 12345. Scammer hopes you copy paste his address from bscscan and he hopes you send to his address instead of your binance address.

I chose a random address, try sending 0 tokens from this wallet.
https://bscscan.com/address/0xbc5703a67df4a335bbd7d2fb163d37ac5799268c

MikkisJ

member

Activity: 126

Merit: 11

Those transactions send 0 tokens from possible victims wallets to scammer's wallet. It's possible to send 0 tokens from your address without private keys because the system accepts them because transaction is zero.

The scammer creates address that is similar to address you sent tokens to. For example if you send 1000 Tether USD to you binance address ending with 12345, then the attacker send a minute later 0 Tether USD from your address to his address that looks like your binance address, it also ends with 12345. Scammer hopes you copy paste his address from bscscan and he hopes you send to his address instead of your binance address.

vv181

legendary

Activity: 1932

Merit: 1273

As others have said, it is very unlikely to create a transaction without the address private key or prior interaction without a smart contract. I also don't see which address that mentioned being similar, maybe anyone could point me to any of it?

For the latter part, it makes no sense if the user truly intended to send or receive some token over some platform address, they won't be copying directly from the transaction history parts.

You should elaborate more if you suspect this is an attack and detail the process of how the user could get scammed.

abel1337

legendary

Activity: 2492

Merit: 1145

Enterapp Pre-Sale Live - bit.ly/3UrMCWI

Just like others, I don't see how it is possible to send a token without an existing wallet / private key. Another point is it is hard for someone to create a wallet address that is similar to yours. Personally for years now, I haven't seen any wallet address that is nearly similar to my wallet address or I could mistakenly thought it was my wallet address. Let's say that what you are saying is true, I don't see any point that the hacker made this things to just earn 0 value transaction attack. Or maybe we are all wrong since I myself is also confused on how this works. I'm just thinking it's logically hard or nearly impossible.

serjent05

legendary

Activity: 3010

Merit: 1280

Get $2100 deposit bonuses & 60 FS

Quote from: zasad@ on November 30, 2022, 08:08:12 AM

Everything is very interesting, but I did not understand how a fraudster can create transactions without private keys.
It is very difficult to generate a similar address so that the first and last 3-5 digits are the same. Write more information about fraud.

If this is true, I believe this is the most sophisticated hack ever happening in a Wallet. Though I am still baffled by how this kind of hack happens, people gaining the access to your wallet.dat, if that was it then it is possible that the person who owned the address is a victim of the malware.

It can be 1 of the stated wallet-stealing malware like

InnfiRAT malware lurks in your machine to steal cryptocurrency wallet data
New ‘BHUNT’ malware is targeting crypto wallets of Indians
Everything you need to know about Mars Stealer
Bitcoin stealers: malware that raid crypto wallets

goaldigger

sr. member

Activity: 2422

Merit: 357

Is this like the hackers sending fake tokens on your account? If yes then probably this is their way to hack you so better not to make any transaction with it and just ignore it. There’s a lot of hackers out there, waiting for the opportunity so stay cautious. That is something suspicious though since you can only create transaction once you have the access on your wallet, which I think hackers still have no access, whatever it is be careful and protect your crypto as much as possible.

Jackl87

sr. member

Activity: 1722

Merit: 269

Quote from: MikkisJ on November 30, 2022, 06:09:26 AM

There is an attack going on where transactions are created that show transactions going out of your account that have 0 tokens moved.
The attacker sends 0 tokens from your address without your private keys. The address is very similar that you send tokens to. Then a user copies address and accidentally sends tokens to scammer.
Here you can see 20 such 0 token transactions.
https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70

Well first of all thank you for the warning and the heads up. I am not really sure though how this transaction attack would work. As others in this thread have already said, there should be no way that a scammer can send tokens from your wallet if he does not have access to your wallet which means to your private key and if he would have access to it then he definitely would not send 0 token transactions first. He would instead just send all of the funds from your wallet to a wallet that he is controlling. So i don't think that this scam works as you said, but i also don't now how it could work any other way. This kind of scam would be new to me.

cryptoaddictchie

legendary

Activity: 2254

Merit: 1377

Fully Regulated Crypto Casino

Im not sure how its possible. But in order to create a transaction from the wallets, someone must have your private keys. Maybe those send transactions are wallets from same guy who knew those different wallets. If you see your wallet there means he got an acess on your wallet. Not sure how he make the transaction confirmed. Maybe this is a smart contract interaction on a dapp or what.

Adbitco

hero member

Activity: 1428

Merit: 653

Leading Crypto Sports Betting & Casino Platform

Actually sometimes is possible because whenever you tried to swap token from dex immediately you swapped then some tokens are instantly sent to you via same address, I think it was same thing that occurred here. But if it happens that your wallet is compromised then I would advise to you to instantly move every valuable asset in your wallet before any further damages that might likely occur in future because basically the wallet is not safe anymore.
Create new wallet and move all valuable asset out from that same wallet.

JunkieMiner

member

Activity: 412

Merit: 10

Recently, I got 2 transactions consisting of 0 USDC in my trust wallet but didn't understand what this all happening, and the most ridiculous think is that the 2 addresses were completely different from each other, I had checked them at BSc scan, but the wallet was fully new created and that was their first transactions.

blockman

hero member

Activity: 3066

Merit: 629

Vave.com - Crypto Casino

Quote from: MikkisJ on November 30, 2022, 06:09:26 AM

The attacker sends 0 tokens from your address without your private keys.

Of course, anyone can send transactions to us without having the need our private keys. But with that having 0 tokens sent, it's making me believe that this is just another dust attack.
From what I think, maybe there's a fake token from the attacker that sends it to anyone that he's got their addresses and that's to know if the address owner is responsive or active because they'll eventually move that away from that wallet. Also, don't click those tokens because they'll direct you to their website and with an interest of exchanging them, that's probably where the scam starts.

o48o

legendary

Activity: 3038

Merit: 1166

Leading Crypto Sports Betting & Casino Platform

Quote from: MikkisJ on November 30, 2022, 06:09:26 AM

There is an attack going on where transactions are created that show transactions going out of your account that have 0 tokens moved.
The attacker sends 0 tokens from your address without your private keys. The address is very similar that you send tokens to.

It sounds like this is either error in translation or you have completely misunderstood how addresses and private keys work. If someone could send 0 token transactions from your wallet without your private key, this would be a serious issue that would have been talked about for years now.

Quote from: MikkisJ on November 30, 2022, 06:09:26 AM

Then a user copies address and accidentally sends tokens to scammer.

Here you can see 20 such 0 token transactions.
https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70

This doesn't even make any sense. Why would i copy some random address and from where? And similar addresses? What are you even talking about?

Yogee

sr. member

Activity: 1554

Merit: 413

This is confusing. Are these really coming from compromised wallets? What if these addresses are generated by the same person or "attacker" and he just wants to spam the network? It looks like a lot of work but I find that more plausible than sending 0 tokens without a private key or seed phrase.

seoincorporation

legendary

Activity: 3346

Merit: 3125

Quote from: MikkisJ on November 30, 2022, 06:09:26 AM

The attacker sends 0 tokens from your address without your private keys. The address is very similar that you send tokens to. Then a user copies address and accidentally sends tokens to scammer.

This is impossible.

People can't send coins from your address without your private key, but what they can do is generate those transactions with a smart contract once users have interacted with it.

And is important to say this transaction had a cost, it wasn't totally free, the one who spent cero dollars with multiple inputs and outputs had to pay a transaction fee for it. So, if this is an attack, I don't think it will be brute-forced because each transaction has a cost.

zasad@

legendary

Activity: 1932

Merit: 4602

Buy on Amazon with Crypto

Everything is very interesting, but I did not understand how a fraudster can create transactions without private keys.
It is very difficult to generate a similar address so that the first and last 3-5 digits are the same. Write more information about fraud.

MikkisJ

member

Activity: 126

Merit: 11

There is an attack going on where transactions are created that show transactions going out of your account that have 0 tokens moved.

The attacker sends 0 tokens from your address without your private keys. The address is very similar that you send tokens to. Then a user copies address and accidentally sends tokens to scammer.

Here you can see 20 such 0 token transactions.
https://bscscan.com/tx/0x8af45041085d513da6c5acb06bc82acf108ccc08d7ae3a2b7dbe4671c2d75d70

Topic: Binance smart chain and 0 dollars transactions attack (Read 276 times)