Exploiting a feature within the Ethereum blockchain, hackers deceptively induced victims to transfer funds. Over the past six months, nearly 100,000 individuals were ensnared, resulting in a staggering $60 million loss, as outlined in the latest Scam Sniffer report.
According to the report, the malefactors leveraged the Create2 function, an opcode enabling the anticipation of a contract’s address pre-deployment on the Ethereum network. Essentially, this tactic involved hackers generating temporary addresses for each transaction, closely mirroring the intended recipient’s address. This deceptive maneuver is termed “address poisoning.”
Security Bypass Techniques
Before initiating fund transfers, users commonly adopt two precautionary measures: 1) verifying the recipient’s address, focusing on initial and concluding characters; 2) conducting a preliminary small transaction to confirm functionality.
As addresses are lengthy and seemingly random, users often scrutinize only the initial and concluding characters, creating vulnerability. Attackers exploit this by crafting subtly different addresses, deceiving users into perceiving them as legitimate.
Even with the safeguard of a test transaction, criminals redirect it to the authentic address, nullifying the second layer of security. The counterfeit addresses act as smart contracts, not directly controlled by attackers, facilitating fund transfers to the ultimate destination.
Instances of fraud leveraging Create2 have been documented, with a victim sustaining a loss of $1.6 million. To avert such incidents, users are strongly urged to meticulously examine the entire address, transcending a superficial check of the first and last characters.