Unlike traditional breaches that exploit vulnerabilities within the code, phishing attacks cunningly exploit human psychology, targeting users' behaviors rather than software weaknesses. Of the different phishing exploits, the "zero transfer attack" is notable for its effectiveness in benefiting hackers. This phishing method involves deceiving users into inadvertently sending funds to the attacker's address by making it appear similar to a trusted address in the user's transaction records.
In this exploit, the attacker capitalizes on the structure of Ethereum addresses, which are hexadecimal strings comprising 40 characters. Users tend to concentrate on the initial and final characters of Ethereum addresses, while the middle characters are perceived as less crucial and more challenging to recall. With this in mind, scammers create vanity Ethereum addresses that deliberately mirror the first and last few characters of an address with which the potential victim has recently engaged. This deceptive technique is commonly referred to as address spoofing.
The Role of Vanity Addresses in Zero Transfer Attacks
Customized addresses, or vanity addresses, are deliberately created to include specific patterns or combinations of characters that serve legitimate purposes, including branding and personalization. Users can specify desired patterns for their new address when crafting a vanity public address.
Suppose the target recently interacted with the address 0x3E7f2FC6328C104269A1BEC8F750000f3A3Fd0D1. In this scenario, the attacker might fabricate an address that mirrors the first few characters (e.g., 0x3E7f) and the last few characters (e.g., 3Fd0D1) while randomizing the characters in between.
After a successful zero-value transfer, the hacker anticipates the potential victim might unintentionally select the incorrect wallet address from their transaction records and proceed to transfer cryptocurrency to it in the future.
Zero transaction Execution
To initiate the Zero transfer attack, the hacker initiates a transaction of zero value directly from the victim’s wallet by associating the spoofed address with the victim’s wallet.
The "transferFrom" function typically permits one account (referred to as the "transaction initiator") to transfer a designated quantity of tokens from another account (known as the "owner") to a third account (the "receiver"). Ordinarily, this transaction necessitates authorization from the owner before it can be executed. However, in the case of a zero-value transaction, this authorization requirement is circumvented, enabling the hacker to conduct unauthorized transfers without the owner's consent.
In this exploit, the attacker capitalizes on the structure of Ethereum addresses, which are hexadecimal strings comprising 40 characters. Users tend to concentrate on the initial and final characters of Ethereum addresses, while the middle characters are perceived as less crucial and more challenging to recall. With this in mind, scammers create vanity Ethereum addresses that deliberately mirror the first and last few characters of an address with which the potential victim has recently engaged. This deceptive technique is commonly referred to as address spoofing.
The Role of Vanity Addresses in Zero Transfer Attacks
Customized addresses, or vanity addresses, are deliberately created to include specific patterns or combinations of characters that serve legitimate purposes, including branding and personalization. Users can specify desired patterns for their new address when crafting a vanity public address.
Suppose the target recently interacted with the address 0x3E7f2FC6328C104269A1BEC8F750000f3A3Fd0D1. In this scenario, the attacker might fabricate an address that mirrors the first few characters (e.g., 0x3E7f) and the last few characters (e.g., 3Fd0D1) while randomizing the characters in between.
After a successful zero-value transfer, the hacker anticipates the potential victim might unintentionally select the incorrect wallet address from their transaction records and proceed to transfer cryptocurrency to it in the future.
Zero transaction Execution
To initiate the Zero transfer attack, the hacker initiates a transaction of zero value directly from the victim’s wallet by associating the spoofed address with the victim’s wallet.
The "transferFrom" function typically permits one account (referred to as the "transaction initiator") to transfer a designated quantity of tokens from another account (known as the "owner") to a third account (the "receiver"). Ordinarily, this transaction necessitates authorization from the owner before it can be executed. However, in the case of a zero-value transaction, this authorization requirement is circumvented, enabling the hacker to conduct unauthorized transfers without the owner's consent.
Precautions Against Zero Transfer Attack.
The immutable nature of ERC-20 and numerous non-upgradeable contracts render contract modification pointless. The issue is not mainly about the standard itself but rather how off-chain tools interpret and display events. Instead of attempting to alter the standard, a more practical approach involves enhancing tools like block explorers and wallets to minimize exposure to zero-value transfers by default.
Another effective strategy revolves around continuous education and the adoption of secure UX practices. By encouraging users to verify addresses during token transfers and not solely rely on automated mechanisms for pasting addresses, a proactive defense can be established against malicious actors exploiting the "0 transfer" loophole.
Link to the article
https://twitter.com/CharlesWangP/status/1778535806174703961