Article Details
Scrape Timestamp (UTC): 2025-01-10 18:16:46.302
Original Article Text
Click to Toggle View
New Web3 attack exploits transaction simulations to steal crypto. Threat actors are employing a new tactic called "transaction simulation spoofing" to steal crypto, with one attack successfully stealing 143.45 Ethereum, worth approximately $460,000. The attack, spotted by ScamSniffer, highlights a flaw in transaction simulation mechanisms used in modern Web3 wallets, meant to safeguard users from fraudulent and malicious transactions. How the attack works Transaction simulation is a feature that allows users to preview the expected outcome of a blockchain transaction before signing and executing it. It is designed to enhance security and transparency by helping users verify what the transaction will do, like the amount of transferred cryptocurrency, gas fees and other transaction costs, and other on-chain data changes. The attackers lure victims to a malicious website that mimics a legitimate platform, which initiates what is made to appear as a "Claim" function. The transaction simulation shows that the user will receive a small amount in ETH. However, a time delay between the simulation and the execution allows the attackers to alter the on-chain contract state to change what the transaction will actually do if approved. The victim, trusting the wallet's transaction simulation result, signs the transaction, allowing the site to drain their wallet of all crypto and send it to the attacker's wallet. ScamSniffer highlights an actual case where the victim signed the deceptive transaction 30 seconds after the state change, losing all their assets (143.35 ETH) as a result. "This new attack vector represents a significant evolution in phishing techniques." warns ScamSniffer "Rather than relying on simple deception, attackers are now exploiting trusted wallet features that users rely on for security. This sophisticated approach makes detection particularly challenging." The blockchain monitoring platform suggests that Web3 wallets reduce the simulation refresh rates to match blockchain block times, force refresh simulation results before critical operations, and add expiration warnings to warn users about the risk. From the user's perspective, this new attack shows why wallet simulation shouldn't be trusted. Cryptocurrency holders should treat "free claim" offers on obscure websites with caution and only trust verified dApps.
Daily Brief Summary
Threat actors have developed a technique known as "transaction simulation spoofing" to manipulate Web3 wallets and steal cryptocurrency, targeting Ethereum in recent successful theft.
Attackers trick victims into visiting a counterfeit platform presenting a seemingly harmless "Claim" function, which initially suggests the recipient would gain a small ETH amount.
However, there is a deceptive delay between the simulation and the actual transaction execution, during which attackers change the contract's conditions on the blockchain.
Believing the transaction simulation provided by their trusted wallets, victims authorize transactions that instead drain their wallets, directing funds to the attackers' accounts.
One reported incident resulted in a victim losing 143.35 ETH, valued at approximately $460,000, due to this scam.
ScamSniffer, the entity that reported the flaw, suggests reducing the wallet simulation refresh rates and incorporating real-time updates and warning mechanisms to help prevent such exploits.
Advice to cryptocurrency users includes skepticism toward free crypto claims from unverified sources and a recommendation to rely only on transactions verified by trusted decentralized applications (dApps).