Data from Etherscan shows that some crypto scammers are targeting users with a new trick that allows them to confirm a transaction from the victim’s wallet, but without having the victim’s private key. The attack can only be performed for transactions of 0 value. However, it may cause some users to accidentally send tokens to the attacker as a result of cutting and pasting from a hijacked transaction history.
Blockchain security firm SlowMist discovered the new technique in December and revealed it in a blog post. Since then, both SafePal and Etherscan have adopted mitigation techniques to limit its effect on users, but some users may still be unaware of its existence.
Recently we have received reports from the community of a new type of scam: Zero Transfer Scam. Be careful if you see suspicious 0 transfer in your wallet record:
— Veronica (@V_SafePal) December 14, 2022
According to the post from SlowMist, the scam works by sending a transaction of zero tokens from the victim’s wallet to an address that looks similar to one that the victim had previously sent tokens to.
For example, if the victim sent 100 coins to an exchange deposit address, the attacker may send zero coins from the victim’s wallet to an address that looks similar but that is, in fact, under the control of the attacker. The victim may see this transaction in their transaction history and conclude that the address shown is the correct deposit address. As a result, they may send their coins directly to the attacker.
Sending a transaction without owner permission
Under normal circumstances, an attacker needs the victim’s private key to send a transaction from the victim’s wallet. But Etherscan’s “contract tab” feature reveals that there is a loophole in some token contracts that can allow an attacker to send a transaction from any wallet whatsoever.
For example, the code for USD Coin (USDC) on Etherscan shows that the “TransferFrom” function allows any person to move coins from another person’s wallet as long as the amount of coins they are sending is less than or equal to the amount allowed by the owner of the address.
This usually means that an attacker can’t make a transaction from another person’s address unless the owner approves an allowance for them.
However, there is a loophole in this restriction. The allowed amount is defined as a number (called the “uint256 type”), which means it is interpreted as zero unless it is specifically set to some…
Click Here to Read the Full Original Article at Cointelegraph.com News…