Unlike traditional breaches that exploitvulnerabilities within the code, phishing attacks cunningly exploit humanpsychology, targeting users' behaviors rather than software weaknesses. Of thedifferent phishing exploits, the "zero transfer attack" is notablefor its effectiveness in benefiting hackers. This phishing method involvesdeceiving users into inadvertently sending funds to the attacker's address bymaking it appear similar to a trusted address in the user's transactionrecords.
In this exploit, the attacker capitalizeson the structure of Ethereum addresses, which are hexadecimal stringscomprising 40 characters. Users tend to concentrate on the initial and finalcharacters of Ethereum addresses, while the middle characters are perceived asless crucial and more challenging to recall. With this in mind, scammers createvanity Ethereum addresses that deliberately mirror the first and last fewcharacters of an address with which the potential victim has recently engaged.This deceptive technique is commonly referred to as address spoofing.
Customized addresses, or vanity addresses,are deliberately created to include specific patterns or combinations ofcharacters that serve legitimate purposes, including branding and personalization.Users can specify desired patterns for their new address when crafting a vanitypublic address.
Suppose the target recently interacted withthe address 0x3E7f2FC6328C104269A1BEC8F750000f3A3Fd0D1. In this scenario, theattacker might fabricate an address that mirrors the first few characters(e.g., 0x3E7f) and the last few characters (e.g., 3Fd0D1) while randomizing thecharacters in between.
After a successful zero-value transfer, thehacker anticipates the potential victim might unintentionally select theincorrect wallet address from their transaction records and proceed to transfercryptocurrency to it in the future.
To initiate the Zero transfer attack, thehacker initiates a transaction of zero value directly from the victim’s walletby associating the spoofed address with the victim’s wallet.
The "transferFrom" functiontypically permits one account (referred to as the "transactioninitiator") to transfer a designated quantity of tokens from anotheraccount (known as the "owner") to a third account (the "receiver").Ordinarily, this transaction necessitates authorization from the owner beforeit can be executed. However, in the case of a zero-value transaction, thisauthorization requirement is circumvented, enabling the hacker to conductunauthorized transfers without the owner's consent.
The immutable nature of ERC-20 and numerousnon-upgradeable contracts render contract modification pointless. The issue isnot mainly about the standard itself but rather how off-chain tools interpretand display events. Instead of attempting to alter the standard, a morepractical approach involves enhancing tools like block explorers and wallets tominimize exposure to zero-value transfers by default.
Another effective strategy revolves aroundcontinuous education and the adoption of secure UX practices. By encouragingusers to verify addresses during token transfers and not solely rely onautomated mechanisms for pasting addresses, a proactive defense can beestablished against malicious actors exploiting the "0 transfer"loophole.
