Reviewing the case of stolen wallets, summarizing 8 security tips to help you secure your assets in web3.0
These are the methods hackers use to steal digital assets, see if you have been tricked?
Current blockchain technology and applications are still in the early stages of rapid development, facing a variety of security risks, from the security of blockchain ecosystem applications, to smart contract security, consensus mechanism security, and underlying component security. Security issues are widespread and highly dangerous, posing new challenges to the ecosystem, security audits, technical architecture, privacy data protection, and overall infrastructure development.
How do hackers steal wallet funds?
"Impersonating customer service to steal private keys"
1. Attackers impersonate customer service and lurk in communities
2. When a user needs help with transfers or withdrawing profits, the attacker contacts the user to assist
3. Through patient explanation, they send a disguised professional ticket system, prompting the user to enter mnemonic phrases to resolve their transaction issues
4. After obtaining the private key, the attacker steals the assets and blocks the user
"Scanning malicious QR codes leads to theft"
1. Attackers send pre-prepared malicious QR codes to users;
3. After users enter a small amount or a specified amount, they confirm the transfer transaction (in reality, the user approves the attacker to use their USDT);
4. Subsequently, a large amount of USDT disappears from the user's wallet (the attacker uses TransferFrom to transfer the user's USDT).
"Being greedy for small advantages, casually accepting airdrops leads to theft"
1. Attackers impersonate various trading platforms, DeFi, NFT, and other blockchain projects;
2. Attackers launch clearly profitable airdrop activities through media communities;
4. After scanning the code, users click to receive the airdrop (which is also the process of the user approving the attacker to use their USDT);
5. Subsequently, a large amount of USDT is transferred from the victim's account (the attacker uses TransferFrom to transfer the user's USDT)
"Online cloud platform accounts are stolen"
Many people save their keys/mnemonic phrases by screenshotting, photographing, or copying and pasting, then synchronizing and storing them in the cloud, such as through emails, QQ, WeChat, cloud drives, notes, etc. Attackers steal private keys/mnemonic phrases by attacking these cloud platform accounts.
Currently, the Zero Time Technology security team has received numerous user feedbacks stating that they saved their private keys/mnemonic phrases in cloud drives or notes, and due to the platform accounts being hacked, their wallet assets were stolen.
"Hot wallet servers are attacked"
Many blockchain applications use hot wallets, which contain a large amount of digital assets. Due to the lack of security reinforcement of hot wallet servers, or improper operation and maintenance, and a lack of security awareness, hot wallet servers are attacked by hackers, leading to the theft of digital assets in the hot wallets, and even using the hot wallet servers as a springboard to attack other wallets.
"Private keys stolen by acquaintances"
Day and night vigilance, but it's hard to guard against thieves within one's own home. Wallet private keys/mnemonic phrases are inadvertently stolen by acquaintances, ultimately leading to asset loss.
"Phishing attacks to steal private keys"
Attackers clone a well-known blockchain project and design a fake project website identical to the original real project for phishing. Ordinary users cannot distinguish the authenticity of the carefully designed phishing website. Attackers publish these details through various channels, creating confusion and easily enticing users to visit the phishing website and guide them to enter account passwords or keys, stealing digital assets from the user's wallet.
"Telecom fraud"
In recent years, telecom fraud incidents have surged, with increasingly sophisticated methods. Due to the massive leakage of information on the internet, attackers use emails, SMS, and phone calls to defraud victims, such as centralized fraud projects under the guise of blockchain, pig-butchering schemes, and high-return investment projects, luring victims to invest, leading to total losses.
"Malicious software"
Hackers add applications to the Google Play store under the guise of certain cryptocurrency resources, or deceive users into downloading these applications through phishing methods. These applications are actually malicious software. Once downloaded and launched, attackers can control the victim's phone or mobile device, allowing them to steal account credentials, private keys, and more information, resulting in wallet theft.
"Attacks through public Wi-Fi"
In public areas with high foot traffic, such as train stations, airports, and hotels, Wi-Fi networks are particularly insecure. Victim users can connect to the same Wi-Fi network as hackers, or even hackers may set up malicious Wi-Fi hotspots for public use. At this time, all information downloaded or sent by the victim users through the network can be intercepted and viewed by attackers under certain conditions, including cryptocurrency wallet private keys/mnemonic phrases, etc.
What to do if the key is lost?
1. Whether there is still a backup of mnemonic phrases and private keys, quickly re-import the mnemonic phrases and transfer the assets to another wallet;
2. Confirm whether there are assets in the lost wallet that are in mortgage or locked, calculate the time, and transfer these assets as soon as they are unlocked;
3. If the assets in the lost wallet have already been transferred, use a professional fund monitoring applet to monitor the funds in real time, understand the financial situation as soon as possible, and seek help.
4. You can contact a professional security team for assistance to recover the lost keys and assets.
Summarizing the security guide of Web3 from the wallet theft incident
Event
On a morning during the New Year's holiday in 2022, Xiao C was preparing to code and continue testing the on-chain contract transactions of Web3js. Suddenly, he discovered that his test account (Bsc chain) in Metamask was zeroed out, even though there was still 100usd in the account the night before. After checking the transfer, he found:
The money is gone, where did the money go?
Background
Xiao C, who comes from a technical background, has been learning blockchain development recently. Being a professional developer, he has always been very cautious and careful, usually running on test networks before deploying on official networks. However, he did not realize that the entire industry is still in a relatively chaotic stage, leading to losses due to complacency and habitual actions.
How was the loss caused?
On the last day of 2021, Xiao C happened to see an interesting account (this account had many active transactions), so he tracked some of its on-chain transactions and then saw a very interesting project (with a high annual yield). Then, as if possessed, he connected his own MetaMask and, as if possessed, performed an approve, because this is the general process for Web3 projects: approve and then the transaction is over.
But then a shocking scene occurred: after clicking, the entire website suddenly froze (actually, during this freezing period, the thief had already transferred the money), with no response. Xiao C didn't think much of it at the time, closed the site, and went to do other things.
About a day later, when Xiao C came back to continue developing, he found that all the money in the account was gone. After checking the history, he found that the balance had been completely transferred away.
Reviewing the process
How did the thief transfer all the money from Xiao C's account?
Phenomenon: As long as you approve, theoretically, you don't need a private key to transfer all the corresponding money.
Xiao C conducted a traceability analysis and it was probably a phishing website's approve that caused the problem, so he traced the transfer record.
As shown in the picture, you can see that an approval (authorization) was first given to a contract, authorizing the phishing contract to operate the BUSD in the account, and there was no limit on the amount.
Why was it BUSD? Xiao C recalled that when he entered the phishing site, BUSD was selected by default. It is estimated that after linking the wallet to the site, the thief had already filtered out the token with the most money in the account.
Then, when Xiao C thought this was a new swap contract and was ready to try it with a high annual yield, he proceeded with the usual process and performed an approve. After the approve, the site immediately froze.
Later, after tracing, it was found that about a few seconds after the authorization, the contract directly triggered a transfer operation and transferred the BUSD token away.
Later, when checking the authorization information
Basically, the default authorization in MetaMask is:
Converted into numbers, we recognize it as 1.157920892373162 times 10 to the 59th power. Basically, it can be understood as unlimited transfers, that is, this authorization operation allows this contract to manipulate my account's token indefinitely. Seeing this, I felt a chill on my back, because I had clicked approve many times before without looking.
Then, a hacker manipulates a wallet address that can control this contract method, and initiates a contract transfer method to transfer the money away. So, friends, be careful when clicking MetaMask authorization in the future.
Xiao C checked that the thief now has about 30,000 USD worth of tokens in this account, and there are still a steady stream of victims transferring money. But facing the blockchain, there is no way to find out who this hacker is.
The problem in the process
Where exactly is the problem?
Because I have been learning about blockchain recently. Xiao C roughly sorted out the logic of this phishing method: it's better to be safe than sorry. If you are interested, you can learn more about it:
Normal transfer
Case one: Direct user-to-user transfer A user transfers BUSD to user B
The contract normally checks the following logic:
1) Whether user A's account balance has enough money; 2) Whether it is a transfer initiated by user A
The process is shown in the following diagram
Normal contract exchange
This is the process we usually use in exchanges like pancakeswap, uniswap, etc.
Case two: Token exchange through swap A user performs a token exchange (BUSD exchanged for WBNB) Process The contract judges:
1) Whether user A's account balance has enough BUSD, (assuming the swap contract is already authorized to operate user A's BUSDtoken)
2) The swap contract takes 500BUSD from user A's account and puts it into the swap's contract pool (assuming the exchange rate is 1:500)
3) After success, the contract transfers 1BNB to user A's account
Note points 2 and 3, which are controlled by the contract to operate the token. That is to say, the contract can bypass us and directly initiate operations on the token in our account.
Phishing contract
First, look at this traceability diagram
In a normal transfer, the transferor and the contract executor should be the same person, that is, (1) and (2) in the diagram above should be initiated by the same person. But in the transaction where I was transferred, these two are not the same address. It is speculated that it should be controlled by a wallet address that can execute the phishing contract, and then the BUSD I authorized to the phishing contract was transferred away.
When checking the phishing contract, it was not surprising that the phishing contract was an encrypted contract. But think about it, it's not difficult, anyone who has studied Solidity a bit knows that you can just set a few more Admins or Owners when defining the contract.
So be sure to pay attention to the endorsement of the project party in the future, and don't casually authorize unknown projects!!!
Safety advice
Because of this incident, Xiao C searched for some useful advice and methods, and also saw many bloody lessons.
Here are some methods that everyone can choose according to their needs.
1) Do not share keys
I saw a post before saying that one mnemonic phrase generates multiple accounts. I don't recommend this because it is very likely to be wiped out in one fell swoop.
2) Save keys offline
Because now there are many clipboard tools and input methods that will upload your clipboard records to the cloud. If you directly copy it, if the cloud leaks, your key will be gone.
My suggestion is to copy it to a notebook as soon as it is generated. Of course, you can also refer to my own dictionary encryption for the key, such as replacing a with 1, b with 2, 1 with a, etc. This way, even if someone sees your paper key, they can't touch your digital assets.
3) Separate development and testing (isolate airdrops and main accounts)
Install 2 browsers, one can be Chrome, the other can be Brave. One manages your main wallet. The other can participate in receiving airdrops, various chain operations, etc.
4) Do not download software of unknown origin
Do not use Baidu to download software of unknown origin. I have seen cases where downloading pirated MetaMask directly led to bankruptcy. Be sure to download from official addresses, and if possible, refer to Google Play, Chrome Web Store, etc.
5) Immediately check your authorization
As shown in the picture, it is basically unlimited.
Every time you wake up MetaMask, be sure to take a closer look at the authorization, and don't blindly click authorize next step like I do now.
6) Before granting authorization, confirm the security of the contract
You can use the Slow Mist contract audit function.
You can also check whether the contract is open source. If it is open source, you need to confirm whether the contract is an upgradable contract, etc.
7) Be cautious about security when receiving airdrops and benefits
Use a small account to receive them, not a large one. When authorizing, you can set a limit!!!
8) Beware of social engineering attacks, be cautious of strangers private messaging you on Discord
For example, on Discord or Telegram, someone you've known for a few days says they want to take you to earn money and get airdrops, asking you to install the software they sent you and log in. This kind of situation is 99.99% likely to result in total loss. Your account is stolen.
Especially in Discord, when you join the official Discord of an NFT, someone will private message you, telling you that you have obtained a whitelist, with an attached mint link. Scammers will change their avatar and name to look like the official, but actually, they have pulled you into a group to achieve this.
Actually, as long as you are not greedy, this kind of scam is quite easy to spot. They usually tell you to mint within a few hours, with a quantity of 1-10. Many popular projects have one or two whitelists for minting, and this one starts with a full 10 with a time limit.
Also, there will be scammers who imitate the project's official website and create a fake website, sending private messages to people in the project's server, inviting them to mint.
