The researchers of the Check Point Research (CPR), Check Point Software’s Threat Intelligence division has identified a new security exploit on blockchain platforms Uniswap and Safe.global. These tactics can exploit legitimate blockchain functions, putting countless users at risk.
Discovered on the Uniswap V3 contract and the Safe.global smart contract, the scam allows attackers to orchestrate fund transfers from victims’ wallets to their own. With over $1.8 trillion in trading volume, 350 million swaps, and over $4 billion in total value locked (TVL), the Uniswap Protocol is the largest and most popular decentralized exchange for trading cryptocurrency tokens on Ethereum and other popular blockchains.
Attack methodology
Attackers often use social engineering techniques to manipulate victims into approving transactions by sending phishing emails or messages that appear to be from trusted sources, encouraging users to increase their token allowances and disguising these requests as legitimate activities.
In this attack, cybercriminals used well-known addresses such as Uniswap and Safe to disguise their malicious activities. They used the aggregate function multicall to insert multiple fraudulent transactions into a single call, making it difficult for users to detect suspicious activity. Trusted platforms like Uniswap and Safe.global have already completed 69 million transactions, deployed 9.5 million accounts, and hold $100 billion in total assets.
By leveraging social engineering tactics, the attackers were able to orchestrate transfers of funds from victims’ wallets to their wallets. Similarly, the Gnosis Safe framework is exploited by creating legitimate-looking proxy contracts, tricking users into increasing their permissions and facilitating unauthorized transactions.
“This new vulnerability highlights the growing sophistication of cybercriminals targeting the cryptocurrency space, revealing not only the need for user vigilance, but the urgent need for advanced security measures and ongoing education.”says Oded Vanunu, Chief Technologist & Product Vulnerability Research Lead at Check Point Software.
Vanunu adds that, “As decentralized finance platforms continue to grow, attackers are exploiting every possible weakness, leading to potentially devastating financial and personal consequences for users.”
Safety Tips
Transactions on the blockchain are irreversible. On the blockchain, unlike in a bank, a user cannot block a stolen card or dispute a transaction. Thus, researchers at Check Point Software list the strict security measures to protect digital assets:
• Verify the legitimacy of contracts and their functions before approving any transaction.
• Carry out actions directly from the official project websites to ensure authenticity.
• Be careful and cautious with emails and links on social networks, as they can be vectors for scams and attacks.
• Regularly monitor your wallet and transaction history for any unusual activity.
“Beyond the immediate financial losses, such breaches can result in long-term damage to user trust and broader adoption of decentralized technologies. Our commitment has been to provide users with the tools and insights they need to safely navigate this dynamic landscape, and to advocate for rigorous verification of transactions, even from trusted sources, as well as to keep them informed of the latest threats. By empowering users to proactively protect their digital assets, we aim to build a more resilient and secure decentralized finance ecosystem.”reinforces Vanunu.
Source: https://www.hardware.com.br/noticias/novo-golpe-explora-blockchain-para-roubo-de-carteiras-de-criptomoedas.html