How does the False Top-up attack break through the defense of the exchange?

SlowMist
8 min readJul 28, 2023

--

Fake deposit attacks refer to the tactics where attackers exploit vulnerabilities or system errors in the exchange’s processing of deposit operations. They send counterfeit transaction data to the exchange wallet addresses, which the exchange mistakenly identifies as legitimate deposit requests, and subsequently credits the corresponding digital assets or currencies into the attacker’s account. By deploying these tactics, the attackers can obtain digital assets without payment, resulting in a loss of assets for the exchanges.

The purpose of this article is to delve into how fake deposit attacks breach the defense mechanisms of exchanges. We will analyze the principles of these attacks, revealing the vulnerabilities and strategies utilized by the attackers. Simultaneously, we’ll illustrate fake deposit attacks using case studies to better comprehend the attack methods and their impact. Moreover, we’ll discuss emergency measures and preventive measures for exchanges to cope with fake deposit attacks, providing suggestions to protect assets and counter similar attacks.

Analyzing the Principle of Deposits

To understand fake deposits, it’s necessary to first comprehend the principle of deposits in exchanges.

The typical process is as follows:

1. Wallet Address Generation
The exchange assigns each user a unique wallet address for receiving deposits. These addresses are typically auto-generated by the exchange’s system. Users need to send digital assets to the specific wallet address within the exchange’s account during the deposit process.

2. Blockchain Ledger Scan
The nodes of the exchange sync with other nodes in the blockchain network to acquire the latest blockchain status and transaction data. When the exchange’s node receives a new block, it extracts the deposit transaction ID and corresponding amount from the transactions contained within the block or the transaction execution events triggered by the block, then adds them to the deposit waiting list.

3. Confirmation of Deposit
Exchanges generally require that transactions receive a certain number of confirmations within the blockchain network to be considered valid. These confirmations indicate that the exchange’s block has been referenced by a number of blocks and verified and confirmed by other miners. The number of confirmations set by exchanges may vary according to different digital assets and networks.

Fake deposit attacks occur during stages 5 and 6

Modes of Fake Deposit Attacks

Exchanges are often prime targets for hackers. Therefore, exchanges usually put their servers behind numerous defense systems and even offer offline custody for core services managing funds. However, due to the blockchain system’s requirement for data integrity, malicious transactions are not blocked by peripheral security systems.

It should be noted that fake deposit attacks are not blockchain vulnerabilities. Instead, attackers exploit certain characteristics of the blockchain to craft special transactions. These malicious transactions cause the exchange to mistake them for legitimate deposit requests or process the same deposit request multiple times. After long-term hands-on experiences, the SlowMist security team has summarized several common fake deposit attack tactics:

Since 2018, the SlowMist security team has disclosed several fake deposit attacks, including:

- USDT False Transfer Security Risk Analysis
- EOS Fake Deposit (hard_fail Status Attack) Red Alert Details and Remediation Plan
- Ethereum Token “Fake Deposit” Vulnerability Details and Remediation Plan
- Bitcoin RBF Fake Deposit Risk Analysis

In addition to these publicized fake deposit attacks, there are several classic attack methods and universal attack methods that we have not made public, such as:

- Bitcoin Multi-Signature Fake Deposit
- Ripple Partial Payment Fake Deposit
- Filecoin Double-Spending Fake Deposit
- TON Bounce-Back Fake Deposit

For more details, feel free to contact us for further discussion.

Case Study: TON Bounce-Back False Top-up

Almost all blockchains face the problem of false top-up, although some attacks are easily avoidable, some require in-depth research of the blockchain’s characteristics to be effectively prevented.

Taking TON’s fake deposit as an example, we will demonstrate how cunning attackers exploit TON’s features to attack exchanges.

TON (The Open Network) is a blockchain project launched by the well-known messaging software Telegram, which allows users to deploy smart contracts on their accounts.

When the exchange integrates TON deposits, following the method described earlier, it first generates a deposit address for the user, then the user transfers assets to this deposit address, and finally the deposit is confirmed.

How does an exchange confirm that a transaction belongs to its user? Let’s examine a normal transfer using the RPC interface:

Normally, the exchange would check whether the ‘destination’ in the ‘in_msg’ is the user’s deposit address. If it is, the ‘value’ amount is converted according to the precision and deposited into the user’s account. But is this approach secure?

One characteristic of TON transactions is that almost all internal messages sent between smart contracts should be ‘bounceable’, i.e., their ‘bounce’ flag should be set. Thus, if the target smart contract does not exist or throws an unhandled exception during message processing, the message will be “bounced” back, carrying the balance of the original value (minus all message transfers and gas costs).

In other words, if a malicious attacker makes a transfer to an account without a deployed contract, setting the ‘bounce’ flag, the deposit amount, after deducting the handling fee, will be bounced back to the original account. The exchange detects the user’s deposit record, but unexpectedly, the deposited currency will return, “bouncing” back to the attacker’s account.

Let’s look at this transaction. Compared to a normal transaction, there is an additional ‘out_msg’, which is the operation of the funds being bounced back to the original account.

If the exchange only verifies ‘in_msg’, it would mistakenly credit the attacker’s account, leading to a loss of platform assets.

Best Practices for Preventing Fake Deposit Attacks

Some basic strategies for preventing fake deposit attacks include:

1. Multi-confirmation Mechanism: Set multiple confirmations for deposits to ensure that the transaction is considered valid only after it has received sufficient confirmations on the blockchain. The number of confirmations should be set according to the security of different digital assets and the speed of blockchain confirmations.

2. Rigorous Transaction Matching: When filtering user transactions from the block, only those that perfectly match the normal transfer pattern can automatically be set as deposited. The final balance change must also be checked.

3. Risk Control System: Establish a comprehensive risk control system to monitor and detect abnormal transaction activities. This system can identify potential risks and abnormal behavior by analyzing deposit patterns, transaction frequency, transaction size, and other factors.

4. Manual Review: For larger amounts or high-risk transactions, employ a manual review mechanism for additional scrutiny. Manual reviews can increase transaction credibility, identify abnormal transactions, and prevent malicious deposits.

5. API Security: Authenticate and authorize external API interfaces securely to avoid unauthorized access and potential vulnerabilities. Regularly review the security of API interfaces and carry out timely security updates and fixes.

6. Withdrawal Restrictions: Temporarily restrict user withdrawals of deposited assets. This allows the exchange adequate time to confirm the validity of the deposit and fend off potential fake deposit attacks.

7. Security Updates: Regularly update exchange software and systems to fix potential security vulnerabilities. Continuously monitor the security status of the exchange and collaborate with network security experts for regular security audits and penetration testing.

For specific blockchain fake deposit prevention, it is necessary to thoroughly read the official documentation and understand the characteristics present in the transactions.

“Introducing Badwhale: A Robust False Top-up Detection System”

Over the years of intensive hands-on experience in the field of cybersecurity, the SlowMist security team has developed an exclusive system known as “Badwhale.” This false top-up detection system is specifically designed for digital asset management platforms. Its primary objective is to aid these platforms in identifying and evaluating their defensive capabilities against false top-up attacks, thereby optimizing their defense mechanisms and ensuring the safety of user assets and reliability of the digital asset management platforms.

Badwhale, a proprietary business system of the SlowMist security team, matured over several years, has been serving dozens of platforms continuously for years, successfully averting false top-up risks for assets estimated to be in the billions of dollars.

Notable Features:

1. Simulated False Top-up Attacks: Badwhale can simulate various types of false top-up attacks, sending bogus deposit requests to the tested digital asset management platforms. This evaluation is crucial for pinpointing the vulnerabilities and potential security risks of these platforms.

2. Diverse Testing Scenarios: The system provides a wide range of testing scenarios and attack patterns, facilitating comprehensive testing of false top-up defenses of the digital asset management platforms based on real-life situations.

3. High Scalability: Badwhale is designed as a highly scalable testing system. It supports testing for different digital asset management platforms and blockchain platforms, adapting flexibly to the requirements of various system architectures and technological environments.

Currently, Badwhale supports false top-up testing for hundreds of public chains and tens of thousands of tokens, including but not limited to:

- Bitcoin Families (BTC/LTC/DOGE/QTUM and more)
- BitcoinCash
- Ethereum Families (ETH/BSC/HECO/RON/CFX-evm/FIL-evm/AVAX-evm/FTM-evm/RSK/GNO/MOVR-evm/GLMR-evm/KLAY/FSN/CELO/CANTO/EGLD/AURORA-evm/TLC/WEMIX/CORE/VS/WAN/KCCL/OKX and more)
- ERC20 Tokens (USDT and more)
- Ethereum L2 (ARB/OP/METIS and more)
- Polygon and Polygon Tokens
- Cosmos Families (ATOM/LUNA/KAVA/IRIS/OSMO and more)
- EOS Families and EOS Tokens (EOS/WAX/XPR/FIO/TLOS and more)
- Ripple
- Flow
- Aptos
- Solana and Solana SPL-Tokens
- Conflux
- Polkadot Families (DOT/ASTR/PARA/MOVR/GLMR and more)
- Tron
- Filecoin
- Ton
- Mina
- Sui
- Ordinals (ORDI and more)

With the powerful capabilities of Badwhale, digital asset management platforms can perform comprehensive false top-up defense tests. They can gauge their performance in the face of false top-up attacks, optimize their defense mechanisms, and enhance the safety of user assets. The introduction of Badwhale will help digital asset management platforms strengthen their security measures, improve their ability to counter false top-up attacks, and ensure the reliability of digital asset transactions and user trust.

Conclusion

By delving into the ways false top-up attacks breach defenses, we can better appreciate the significance of digital asset management platforms in safeguarding user assets and maintaining security. Only by strengthening security measures, continuously monitoring vulnerabilities, and taking appropriate responsive actions, can these platforms effectively cope with false top-up attacks and other security threats, ensuring the credibility and reliability of digital asset transactions.

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.