Fraudsters are exploiting misconfigurations in smart contracts to create malicious cryptocurrency tokens with the aim of stealing funds from unsuspecting users.
Instances of token fraud in the wild include hiding 99% fee features and hiding backdoor routines, Check Point researchers said in a report shared with The Hacker News.
Smart contracts are programs stored on the blockchain that are automatically executed when predetermined conditions are met under the terms of a contract or agreement. They allow transactions and trust agreements between anonymous parties without the need for a central authority.
Examining the Solidity source code used to implement smart contracts, the Israeli cybersecurity company found instances of hidden, hard-coded fees that cannot be changed, while allowing malicious actors to exercise control over “who can sell.”
In another case, a legitimate contract called Levyathan was hacked after its developers inadvertently uploaded the wallet’s private key to its GitHub repository, allowing the exploiter to mint an infinite number of tokens and steal funds from the contract in July 2021. .
A rug pull is a type of scam that occurs when the creators withdraw money from investors and abandon the project after a large amount is allocated to what appears to be a legitimate crypto project.
Lastly, poor access controls implemented by Zenon Network maintainers allowed an attacker to abuse the unprotected recording feature within the smart contract to drive up the price of the coin and drain funds for the sum of $814,570 in November 2021.
The findings come as cyberattack campaigns have been observed leveraging lure-based phishing schemes surrounding soon-to-be-released crypto tokens (albeit fake) to ultimately trick victims into paying with their own cryptocurrency.
“On top of that, to engage other victims and perpetuate the scam, the website offered a referral program for friends and family,” said Akamai researcher Or Katz. “By doing this, the threat actors created a new trusted channel through which current victims referred [to] other potential targets.
“The implication is that cryptocurrency users will continue to fall for these traps and lose their money,” said Oded Vanunu, head of product vulnerability research at Check Point. “To avoid fraudulent coins, I recommend cryptocurrency users to diversify their wallets, ignore ads and test their transactions.”