In a recent development, a blockchain security firm, CertiK, flagged a transfer of $10 million worth of Ether (ETH) to the crypto-mixing service Tornado Cash. This move is linked to a September 2023 phishing attack that targeted a major cryptocurrency investor, or “whale,” resulting in a total loss of $24 million.
The attack as reported by ChainAffairs leveraged a vulnerability in token allowances. On September 6th, 2023, the unsuspecting whale unknowingly signed a transaction that increased the allowance for a malicious smart contract. This essentially gave the attacker permission to spend the whale’s staked ETH on the Rocket Pool platform. The stolen amount included 9,579 stETH and 4,851 rETH tokens.
Concerns Over Token Allowances Resurface
The incident reignites concerns surrounding token allowances within the Ethereum network’s ERC-20 token standard. This feature allows users to grant third-party contracts permission to spend their tokens. While convenient, it can be exploited by malicious actors if users aren’t cautious. Security experts have long warned about the potential for hackers to deploy deceptive smart contracts to trick users into granting excessive allowances.
Attacker Launders Funds Through Tornado Cash
After gaining access to the stolen ETH, the attacker swapped it for a mix of other cryptocurrencies, including 13,785 ETH and 1.64 million Dai (DAI). Security firm PeckShield traced some of these funds to the FixedFloat exchange, while the majority was transferred to various wallets. The attacker then moved a portion of the stolen funds through Tornado Cash, a cryptocurrency mixing service often used to obfuscate transaction trails.
Phishing Attacks Remain a Major Threat
This incident highlights the ongoing threat of phishing attacks in the cryptocurrency space. According to a report by Scam Sniffer, February 2024 saw nearly $47 million lost to such scams. The report further indicates that the Ethereum network was the primary target, accounting for 78% of the stolen funds, with ERC-20 tokens making up 86%.
Also Read: The Web of Deceit: Navigating the Complex World of Crypto Scams
Token Approvals and the Importance of Vigilance
The incident also underscores the importance of vigilance when dealing with token allowances. A similar exploit involving an old contract from the Dolomite exchange resulted in $1.8 million drained from user accounts in March 2024. These events serve as a stark reminder for crypto users to carefully review any smart contract interactions before granting approvals.
While not all attacks succeed, like the thwarted Layerswap breach, these incidents emphasize the evolving landscape of crypto scams. Staying informed and practicing safe protocols remain crucial for protecting your digital assets.sharemore_vert