Security News > 2023 > November > Ethereum feature abused to steal $60 million from 99K victims

Ethereum feature abused to steal $60 million from 99K victims
2023-11-13 21:41

Unlike the original Create opcode, which generated new addresses based on the creator's address and nonce, Create2 allows calculating addresses before the deployment of the contract.

It's a powerful tool for Ethereum developers, enabling advanced and flexible contract interactions, parameter-based contract address pre-calculation, deployment flexibility, suitability for off-chain transactions and certain dApps.

Scam Sniffer's report explains that Create2 can be abused to generate fresh contract addresses with no history of malicious/reported transactions, hence bypassing wallet security alerts.

In a recent case analysts observed, a victim lost $927,000 worth of GMX after they were tricked into signing a transfer contract that sent the assets to a pre-computed address.

Since August 2023, Scam Sniffer has recorded 11 victims losing nearly $3 million, with one of them transferring $1.6 million to an address resembling one they had sent money to recently.

In early August 2023, a Binance operator mistakenly sent $20 million to scammers who employed the 'address poisoning' trick but noticed the error quickly and froze the recipient's address.


News URL

https://www.bleepingcomputer.com/news/security/ethereum-feature-abused-to-steal-60-million-from-99k-victims/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Ethereum 9 0 8 23 2 33