Exploring Web3’s security guidelines from a wallet theft case

There are thousands of roads, safety first:

1) Do not share keys 2) Store keys offline

3) Development and testing are separated (airdrop and main account isolation)

4) Do not download software from unknown sources 5) Check authorization immediately

6) Confirm the security of the contract before authorizing

7) Pay attention to safety when taking airdrops and benefits 

8) Be wary of unidentified people and software on Discord

Note: This account does not promote commercial products in any sense, does not provide any investment advice, and does not accept any PR requirements. This article does not constitute any investment advice.

Author | Chris Alpha Rabbit

event

This article is about 2700 words, and the reading time is 10-20 minutes

One morning during the New Year’s Day holiday in 2022, Xiao C was going to write code and continue to test the on-chain contract transactions of web3js. Suddenly I found that my test account (bsc chain) was reset to zero in metamask, and there was still 100USD in the account the night before, and after checking the transfer, I found:

The money is gone, where did the money go? ?

background

Xiao C, who was born in technology, is currently learning blockchain development. I am a professional developer and I have been very cautious. I usually run it on the test network. After running it, I will deploy it on the official network , but I don’t realize that the entire industry is still in a relatively chaotic stage . Handy habits lead to losses.

How was the loss caused?

On the last day of 2021, Xiao C happened to see an interesting account (this account has many active transactions) , so he tracked some of his on-chain transactions, and then saw a very interesting project (with a high annualization rate) Yield) , and then connected to my own Metamask by ghosts and ghosts, and then carried out an approve by ghosts, because this is the process of general Web3 projects, and the approve and transfer are over.

But an astonishing scene appeared: after clicking, the entire website suddenly got stuck (in fact, during the stuck period, the thief transferred the money away) , there was no response, and Xiao C didn’t respond at that time Things, shut down the site, and do other things.

After about a day, when Xiao C came back to develop, he found that all the money in the account was gone . He checked the historical records and found that the balance in the account had been transferred .

review process

How did the thief transfer all the money in the small C account?

Phenomenon: As long as you approve, you can theoretically transfer all the corresponding money without a private key.

Xiao C traced the source, probably because there was a problem with the approve of a phishing website, so he traced the transfer record.

Exploring Web3's security guidelines from a wallet theft case

As you can see from the figure, a contract is approved first, and the phishing contract is authorized to operate BUSD in the account, and there is no limit on the quantity.

Why is it BUSD? Xiao C recalled that when he entered this phishing site, busd was selected by default. It is estimated that after browsing the site’s link wallet, the thief had already screened out the token with the most money in the account.

Then, when Xiao C thinks that this is a new swap contract with a high annualized income, and is ready to try it first, he will proceed according to the normal process. After the approval is over, the website is directly stuck.

Later, after tracing back, about tens of seconds after authorization, the contract directly triggered a transfer operation, which directly transferred the BUSD token.

Later, I checked the authorization information.

Exploring Web3's security guidelines from a wallet theft case

Basically, when metamask is authorized by default, it is

  •  
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff

Converted to numbers, what we know is 1.157920892373162 times 10 to the 59th power. Basically, it can be understood as an unlimited transfer , that is, this authorized operation allows the contract to manipulate the token of my account in an unlimited amount. Seeing this, I felt a chill behind my back, because I had ordered many times before and I would never watch it.

Then the hacker manipulates a wallet address that can control the contract method, initiates the contract transfer method, and transfers the money away. So you must be careful when you click on metamask for authorization later .

Xiao C checked it, and the thief probably already has a token of 3w USD in this account now, and there are still a steady stream of victims transferring money. But there is no way to face the blockchain, and it is impossible to find out who this hacker is.

Problems arise

Where is the problem?

Because I’m learning about blockchain recently. Xiao C roughly thought about the logical method of fishing. The intention to harm others is indispensable, and the intention to guard against others is essential. If you are interested, you can find out:

  • normal transfer

Case 1: Direct inter-user transfer User A transfers BUSD to user B

The contract normally checks the following logic

1) Determine whether the account balance of user A has enough money 2) Whether it is a transfer initiated by user A

The process is as follows

Exploring Web3's security guidelines from a wallet theft case

  • normal contract exchange

This is the process when we usually use pancakeswap, uniswap, etc. to exchange

Case 2: Token exchange through swap A user performs token exchange (BUSD to WBNB) process contract to judge:

1) Whether the account balance of user A has enough BUSD, (assuming that the swap contract has been authorized to operate the BUSD token of account A)

2) The swap contract takes 500BUSD from account A and puts it into the swap contract pool (assuming the exchange rate is 1:500)

3) After the success, the contract will transfer 1BNB to the A account

Pay attention to point 2) 3), which is controlled by the contract to operate the token. That is to say, the contract can bypass us and directly initiate the operation of the token under our account.

Exploring Web3's security guidelines from a wallet theft case

  • fishing contract

Look at this traceback first?

Exploring Web3's security guidelines from a wallet theft case

For normal transfers, the transfer party and the transfer party executed by the contract should be the same person, that is, (1) and (2) in the above figure should be initiated by the same person. And the transaction I was transferred to, the two are not the same address. It is speculated that a wallet address that can execute the phishing contract controls the execution of the contract, and then transfers the BUSD I authorized to the phishing contract.

Going to look at the phishing contract, unsurprisingly the phishing contract is an encrypted contract. However, it is not difficult to think about it. Anyone who has studied Solidity a little knows that when the contract is defined, it is enough to set up a few more Admins or Owners.

So in the future, you must pay attention to the endorsement of the project party, and don’t give authorization to projects you don’t know! ! !

Security advice

Because of this incident, Xiao C searched for some useful suggestions and methods, and also saw a lot of bloody lessons.

Here are some methods that you can choose according to your needs.

Do not share keys

I read a post before saying that one mnemonic word generates multiple accounts. I don’t recommend this, because it is likely to be caught in one pot.

Keys are stored offline

Because there are many clipboard tools and input methods that will upload your clipboard records to the cloud, if you copy it directly, if the cloud leaks, your key will be lost. My suggestion is to copy it into the book as soon as it is generated. Of course, copy it to the notebook, you can also refer to my own dictionary encryption of the key, for example, replace a with 1, replace b with 2, and replace 1 with a, so as to ensure that even if someone sees your paper key, Nor can you touch your digital assets.

Separate development and testing (airdrop and master account isolation)

Install 2 browsers, one can be chrome and one is brave. One to manage your main wallet. The other one can participate in receiving airdrops, various on-chain operations, etc.

Do not download software from unknown sources

Don’t use baidu to download software from unknown sources. I have seen a case of downloading pirated metamask and going bankrupt. Be sure to go to the official address to download, if possible, you can refer to google play. chrome web store, etc.

Check your authorization now

The URLs checked are as follows. The debank is not open source, but the UI interaction is better. There are open source ones in the follow-up. You can decide for yourself.

https://debank.com/

https://approved.zone/

https://tac.dappstar.io/

https://ethallowance.com/

Exploring Web3's security guidelines from a wallet theft case

As you can see in the picture, it is basically infinite.

Every time you wake up metamask, you must look at the authorization more, and don’t authorize the next step without thinking like I am now.

Confirm contract security before authorizing

https://www.slowmist.com/service-smart-contract-security-audit.html

You can use the contract audit function of SlowMist.

You can also check whether the contract is open source. If it is open source, you need to confirm whether the contract is an upgradeable contract and so on.

Pay attention to safety when playing short positions and benefits

Use the trumpet to get it, don’t use the big one, you can set the quota when you authorize! ! !

Be wary of the intrusion of social workers, and beware of strangers who privately chat with you on Discord

For example, discord or telegram, someone has known you for a few days and said that they want to take you to make money and get airdrops, and ask you to install the software he sent you and log in. 99.99% of you will lose everything. Account stolen.

In particular, in Discord, when you enter the official discord of nft, someone will chat with you privately, telling you that you have obtained a whitelist, with a mint link. The liar will change the avatar and name to the official one. In fact, he and you are in a group to achieve this. In fact, as long as you are not greedy, this kind of scam is quite easy to see through. Generally, you will be told to mint within a few hours, and the number is 1-10. Many popular projects have a whitelist of one or two mints. This one has a time limit of 10.

Also, there will be scammers imitating the official website of the project to make a fake website, sending private messages to the people in the project server and asking them to mint.

There are also friends who bought fake NFTs in opensea and later found out that they were not official. After a few days, the NFT disappeared from the account. However? It has been deducted… (How did you find out? Look at the chain and the official discord and sent the official Opensea URL )

There is also a fake collab.land to deceive the wallet password, airdrop it to Da V and claim that Da V bought that nft/token.

The new year is coming, everyone must pay attention to safety. I hope that friends who read this article can be safe and sound!

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/exploring-web3s-security-guidelines-from-a-wallet-theft-case/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-01-20 09:07
Next 2022-01-20 09:09

Related articles