Scam Sniffer's mid-2024 phishing report shows that in the first half of 2024 alone, 260000 victims lost $314 million on the EVM chain, with 20 individuals losing over $1 million per person. Sadly, another victim lost $11 million, becoming the second largest victim of theft in history.

According to the summary of the report, the majority of ERC20 token thefts currently stem from signing phishing signatures, such as Permit, IncreaseAallowance, and Uniswap Permit2. And most large-scale thefts involve Staking, Restaking, Aave staking, and Pendle tokens. Victims are often directed to phishing websites through phishing comments from fake Twitter accounts.

Fishing attacks are undoubtedly still a major concern for on chain security issues.

As an entry level product that meets the basic transaction needs of users, OKX Web3 wallet insists on focusing on strengthening security measures and user education. At the product level, the team has recently upgraded the risk transaction interception function mainly around high-frequency phishing scenarios, and stated that they will continue to increase the identification of more risk scenarios to prompt users in the future.

This article aims to explain the scenarios in which the four major risk transaction interception functions of OKX Web3 wallet's latest upgrade are applicable, and to popularize the operating principles of some theft cases. We hope it will be helpful to you.

On June 26th, a user signed multiple phishing signatures on a fake Blast phishing website and lost 217000 US dollars; On July 3rd, ZachXBT reported that address 0xD7b2 had become a victim of Fake-Phishing 187019 phishing, resulting in the loss of 6 BAYC NFTs and 40 Beans (worth over $1 million); On July 24th, a Pendle user pledged PENDLEPT tokens worth approximately $4.69 million, which were stolen from multiple Permit phishing signatures one hour ago.

In the past two months, there have been numerous incidents and single transactions resulting in losses due to various types of signature phishing, which has become an important scene of frequent security issues. The vast majority of scenarios involve inducing users to authorize hackers' EOA accounts.

Malicious authorization to EOA accounts generally refers to hackers inducing users to authorize through various welfare activities and other forms, and authorizing their user addresses to be signed by an EOA address.

The full name of EOA is Externally Owned Accounts, also translated as "External Accounts". EOA is a type of account on the Ethereum based blockchain network, which is different from another account type on Ethereum - Contract Account. EOA is owned by users and is not controlled by smart contracts. When players surf on the blockchain, they are usually authorized to the smart contract account of the project party rather than the EOA account owned by individuals.

At present, there are three common authorization methods: Approval is a common authorization method that exists in the ERC-20 token standard. It authorizes third parties (such as smart contracts) to spend a certain amount of tokens in the name of token holders. Users need to authorize a certain number of tokens for a smart contract in advance, and then the contract can call the transferFrom function to transfer these tokens at any time. If users accidentally authorize malicious contracts, these authorized tokens may be immediately transferred. It is worth noting that the authorization trace of Approval can be seen in the victim's wallet address.

Permit is an extended authorization method introduced based on the ERC-20 standard, which authorizes third parties to spend tokens through message signing instead of directly calling smart contracts. Simply put, users can approve others to transfer their tokens by signing. Hackers can use this method to carry out attacks, for example, they can create a phishing website and replace the button to log in to the wallet with a Permit, making it easy to obtain the user's signature.

Permit2 is not a standard feature of ERC-20, but a feature introduced by Uniswap for user convenience. This feature allows Uniswap users to pay only one gas fee during use. However, it should be noted that if you have used Uniswap before and have authorized unlimited amounts to the contract, you may become a target of Permit2 phishing attacks.

Permit and Permit2 are offline signature methods, and the victim's wallet address does not require gas payment. The phishing wallet address provides authorization for on chain operations, so the authorization traces of these two signatures can only be seen in the phishing wallet address. Permit and Permit2 signature phishing have become a major challenge in the field of Web3 asset security.

How does the OKX Web3 wallet interception function work in this scenario?

The OKX Web3 wallet will perform pre analysis on pending transactions. If the analysis finds that the transaction is an authorized behavior and the authorized address is an EOA address, it will alert the user to prevent phishing attacks and asset losses.

2. Malicious change of account owner

Malicious changes to the account owner typically occur on public chains designed by account owners with underlying mechanisms such as TRON and Solana. Once the user signs, they will lose control of the account.

Taking the TRON wallet as an example, TRON's multi signature permission system is designed with three different permissions: Owner, Witness, and Active, each with specific functions and purposes.

The Owner permission has the highest authority to execute all contracts and operations; Only with this permission can other permissions be modified, including adding or removing other signatories; After creating a new account, it is assumed that the account itself has this permission.

The Witness permission is mainly related to Super Representatives, and accounts with this permission can participate in the election and voting of Super Representatives, and manage operations related to Super Representatives.

Active permissions are used for daily operations, such as transferring funds and calling smart contracts. This permission can be set and modified by the Owner permission, and is commonly assigned to accounts that need to perform specific tasks. It is a collection of authorized operations (such as TRX transfers, pledging assets).

One situation is that if a hacker obtains a user's private key/mnemonic, and the user does not use the multi signature mechanism (i.e. the wallet account is only controlled by the user), the hacker can authorize the Owner/Active permissions to their own address or transfer the user's Owner/Active permissions to themselves. This operation is commonly referred to as malicious multi signature.

If the user's Owner/Active permissions are not removed, hackers use a multi signature mechanism to jointly control account ownership with the user. At this point, the user holds both a private key/mnemonic and Owner/Active permissions, but cannot transfer their assets. When the user initiates a request to transfer assets, both the user's and the hacker's addresses need to be signed in order to execute the transaction normally.

Another situation is that hackers use TRON's permission management design mechanism to directly transfer the user's Owner/Active permissions to the hacker's address, causing the user to lose Owner/Active permissions.

The results of the above two situations are the same. Regardless of whether the user still has Owner/Active permissions, they will lose actual control over the account. Hackers can change account permissions, transfer assets, and other operations by obtaining the highest permissions of the account.

How does the OKX Web3 wallet interception function work in this scenario?

The OKX Web3 wallet performs pre parsing on pending transactions. If the parsing discovers any behavior of changing account permissions within the transaction, it will directly intercept the transaction for the user, preventing them from further signing at the root and causing asset losses.

Due to the extremely high risk, the OKX Web3 wallet is currently directly intercepting and does not allow users to make further transactions.

3. Malicious change of transfer address

The risk transaction scenario of maliciously changing the transfer address mainly occurs in the case of incomplete DApp contract design.

On March 5th, @ CyversAlerts detected that addresses starting with 0xae7ab received 4 stETH from EigenLayer, with a contract of $14199.57, suspected to have been subjected to phishing attacks. At the same time, he pointed out that multiple victims have signed "queueWithdrawal" phishing deals on the main website.

Angel Drainer aimed at the nature of Ethereum staking, and the approval of transactions is different from the conventional ERC20 "approval" method, specifically targeting the queueWithdrawal (0xf123991e) function of the EigenLayer Strategy Manager contract. The core of the attack is that the user who signed the 'queueWithdrawal' transaction actually approved the malicious' withdrawer 'to withdraw the wallet's staking reward from the EigenLayer protocol to the address chosen by the attacker. Simply put, once you approve a transaction on a phishing website, the rewards you stake on EigenLayer will belong to the attacker.

In order to make detecting malicious attacks more difficult, attackers use the "CREATE2" mechanism to approve these withdrawals to empty addresses. Due to this being a new approval method, most security providers or internal security tools do not parse and validate this approval type, so in most cases it is marked as a benign transaction.

Not only this case, but since the beginning of this year, some mainstream public chain ecosystems have encountered some poorly designed contract vulnerabilities that have led to malicious changes in some users' transfer addresses, resulting in financial losses.

How does the OKX Web3 wallet interception function work in this scenario?

In response to the phishing attack scenario on EigenLayer, OKX Web3 wallet will parse the relevant transactions of "queueWithdrawal". If it is found that the user is trading on an unofficial website and withdrawing money to a non user's own address, it will warn the user and force them to confirm further to prevent phishing attacks.

4. Transfers to similar addresses

The attack technique of transferring funds to a similar address involves deceiving the victim into using a fake address that is very similar to their real address, allowing the funds to be transferred to the attacker's account. These attacks are often accompanied by complex obfuscation and concealment techniques, where attackers use multiple wallets and cross chain transfers to increase the difficulty of tracking.

On May 3rd, a giant whale encountered a phishing attack with the same head and tail address, resulting in the capture of 1155 WBTCs worth approximately $70 million.

The main logic of this attack is that hackers generate a large number of phishing addresses in advance, deploy batch programs in a distributed manner, and launch phishing attacks with the same starting and ending addresses to the target transfer address based on the dynamics of users on the chain. In this incident, the hacker used an address with the first 4 and last 6 digits after removing 0x that matched the victim's target transfer address. After the user transferred the money, the hacker immediately followed a transaction with the phishing address that collided (about 3 minutes later) (the phishing address transferred 0 ETH to the user's address), so that the phishing address appeared in the user's transaction record.

Due to the user's habit of copying recent transfer information from wallet history, they did not carefully check whether the address they copied was correct after seeing this trailing phishing transaction, resulting in 1155 WBTCs being mistakenly transferred to the phishing address.

How does the OKX Web3 wallet interception function work in this scenario?

The OKX Web3 wallet continuously monitors transactions on the chain. If a suspicious transaction that is not initiated by the user occurs on the chain shortly after a large transaction, and the interaction party of the suspicious transaction is extremely similar to that of the large transaction, it will determine that the interaction party of the suspicious transaction is a similar address.

If the user interacts with similar addresses in the future, OKX Web3 will intercept and remind them; At the same time, on the transaction history page, transactions related to similar addresses will be directly marked to prevent users from being induced to paste and causing asset losses. (Currently supports 8 chains)

epilogue

Overall, in the first half of 2024, security incidents such as airdrop phishing emails and official project accounts being hacked will continue to occur frequently. While enjoying the benefits brought by these airdrops and activities, users also face unprecedented security risks. Hackers deceive users into leaking private keys or conducting malicious transfers by disguising themselves as official phishing emails, fake addresses, and other means. In addition, some official project accounts have also been hacked, resulting in user financial losses. For ordinary users, the most important thing in such an environment is to raise awareness of prevention and deepen their learning of security knowledge. At the same time, choose platforms with reliable risk control as much as possible.

Risk Warning and Disclaimer

This article is for reference only. This article only represents the author's viewpoint and does not represent OKX's position. This article is not intended to provide (i) investment advice or investment recommendations; (ii) Offer or solicitation to purchase, sell, or hold digital assets; (iii) Financial, accounting, legal or tax advice. We do not guarantee the accuracy, completeness, or usefulness of such information. The digital assets held (including stablecoins and NFTs) involve high risks and may experience significant fluctuations. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. For your specific situation, please consult your legal/tax/investment professionals. Please be responsible for understanding and complying with applicable local laws and regulations on your own.