Security News > 2023 > November > Ethereum feature abused to steal $60 million from 99K victims
Unlike the original Create opcode, which generated new addresses based on the creator's address and nonce, Create2 allows calculating addresses before the deployment of the contract.
It's a powerful tool for Ethereum developers, enabling advanced and flexible contract interactions, parameter-based contract address pre-calculation, deployment flexibility, suitability for off-chain transactions and certain dApps.
Scam Sniffer's report explains that Create2 can be abused to generate fresh contract addresses with no history of malicious/reported transactions, hence bypassing wallet security alerts.
In a recent case analysts observed, a victim lost $927,000 worth of GMX after they were tricked into signing a transfer contract that sent the assets to a pre-computed address.
Since August 2023, Scam Sniffer has recorded 11 victims losing nearly $3 million, with one of them transferring $1.6 million to an address resembling one they had sent money to recently.
In early August 2023, a Binance operator mistakenly sent $20 million to scammers who employed the 'address poisoning' trick but noticed the error quickly and froze the recipient's address.