Past Permissions, Present Problems: Analysis of Theft through Authorized Malicious Contracts
Background
Recently, the SlowMist Security Team has received reports of numerus incidents of coin theft caused by authorization issues. These incidents were directly related to the Approve authorization, with the critical point being that the victims had inadvertently clicked on Approve authorization at sometime in the past. Fortunately, due to the immutable nature of blockchain, we’re always able to see how these events unfolded.
Analysis of Theft Cases
Based on information provided by the victims, the theft transactions are as follows:
At first glance, it can be seen that the victim’s address 0x8CCb had 13,811 USDT stolen by the hacker’s address 0xFf6F.
This transaction was neither a chain off permit/permit2 signature method, nor did it involve any other contract vulnerability allowing arbitrary authorization, nor was it a create2 method.
After ruling out these common methods, we discovered that this theft was caused by the simplest of reasons: an Approve authorization that had been granted a long time ago and acted as a delayed fuse.
Upon analyzing previous on-chain transaction records, we found the main cause: the victim had authorized a contract address (0x3880285800a89AB3C4338bf455acdA3da6f8fA24) over two years ago.
The authorization record is as follows:
The timeline of the authorization transaction and the theft transfer transaction is listed below, with a lengthy interval of 767 days between them:
- November 9, 2021, 08:13:28 — Malicious authorization given to a malicious contract address transaction;
- December 16, 2023, 07:26:53 — USDT-BEP20 unauthorized transfer transaction.
After the authorization was given to the malicious contract address, how were the funds stolen? Let’s delve further into the details.
In this transaction, the following steps occurred:
1. By calling method 0xe473d7ed of contract address 0xcc4187, the balance of the stolen address and the Allowance authorized to the malicious contract were checked.
2. The malicious contract (shown as TransparentUpgradeableProxy in the figure) called method 0xe5ee9334 of the Proxy contract 0xd367b5 to:
- Verify the Role permissions of contract address 0xcc4187.
- The malicious contract, acting as the message sender, invoked the transferFrom function of USDT-BEP20, thereby transferring the Token assets authorized to the malicious contract to the hacker’s profit address 0xFf6F.
MistTrack Analysis
The hacker’s address (0xFf6FC7eafF07C93b555a1CA2A9efcBbca2b8c83D) has now stolen approximately $200,000, including a variety of tokens.
The initial funds of the hacker originated from 0.098 BNB transferred from Tornado Cash, and the hacker used platforms such as Venus, PancakeSwap, DinosaurEggs, and WombatExchange:
Continuing the analysis, we looked into the malicious contract address (0x3880285800a89AB3C4338bf455acdA3da6f8fA24):
It was found that this malicious contract is marked as ‘King’ in MistTrack, indicating that this contract address belongs to the original project ‘King’. There are also interactions between this contract address and Kingfund Finance, suggesting that King and Kingfund Finance might be part of the same project.
Further examination revealed that the creator’s address of the malicious contract (0x37a7cA97b33b6a9D1d80D33bff9E38f156FF8541) is tagged as ‘Kingfund Finance: Deployer’.
Upon investigating this project, it was discovered that it is actually a ‘RugPull’ project. On January 19, 2022, Kingfund Finance absconded with over 300 WBNB (approximately $141,000), and subsequently shut down its official website and Twitter account. This means that users who have not yet revoked their authorization to this malicious contract continue to be at risk of theft. The SlowMist Security Team advises users to urgently cancel their authorizations to this malicious contract.
Dune Analysis
Based on the characteristics summarized above and aided by Dune analysis, another case was discovered where a user authorized the previously mentioned malicious contract address (0x3880285800a89AB3C4338bf455acdA3da6f8fA24) in January 2022, and then in May authorized another RugPull malicious contract address (0x3a40AeC5453dB9b49ACb2993F0F82FB1553f4C23).
The creator of this malicious contract (0x406119D496a3b0D1F0B7DA020B5e89d6FFf4Ff08) has already transferred most of the funds to Tornado Cash.
The relevant addresses have now been blacklisted by MistTrack.
Summary
This article mainly discusses a case where early authorization to a RugPull project led to subsequent continuous theft of funds, and expands on related characteristics to form a Dune dataset. Phishing is ubiquitous, and it’s easy to fall victim to it inadvertently. The SlowMist Security Team advises users to regularly check their authorization status proactively. Tools like RevokeCash, ScamSniffer, and Rabby can be used for this purpose. If any unusual authorizations are discovered, it is recommended to revoke them promptly.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.
