Skip to content

Cybercrooks exploit blockchain protocols to conduct scams

  • by
  • 3 min read

Threat actors are using the trust and features of popular platforms like Uniswap and Safe.global to carry out elaborate scams targeting customers, highlighting a new era of cybercrime where even the most secure systems are at risk.

Since its inception in 2018, Uniswap has become the most widely used decentralised exchange (DEX) for trading cryptocurrencies. Companies like Uniswap have a substantial trading volume and facilitate hundreds of millions of token swaps.

However, this extensive usage and trust have made Uniswap an attractive target for cybercriminals. These fraudsters exploit the ‘multicall aggregate function’ within Uniswap V3 contracts.

“By leveraging the trust and functionality of well-established platforms like Uniswap V3 and Safe.global, these attackers disguise their malicious activities. For instance, scammers cleverly embed their attacks within the multicall aggregate function on Uniswap V3 contract, which allows them to execute multiple transactions in a single call, thereby obfuscating their true intentions,” caution researchers.

This function allows users to bundle multiple transactions into a single call, increasing efficiency and creating an opportunity for malicious actors to mask their fraudulent intentions.

The multicall function in Uniswap V3 accepts an array of Call structs, each containing the address of the contract to call and the data sent to the target contract.

This function iterates over the calls array, executing each transaction in a single batch. Cybercriminals embed malicious transactions within legitimate-looking calls. For example, they use the Uniswap Multicall contract to orchestrate fund transfers from victims’ wallets to their own.

Seeing a trusted Uniswap address, unsuspecting users might approve transactions without realising they are granting permission for their assets to be stolen.

The victim unknowingly signs a contract, manipulated by threat actors, to increase the allowance. | Source: Check Point Research

A concrete example of this scam is illustrated in transaction 0xe02a450b96a2679557dc6ea214808eb0692e8b96c7a8da47f67e4e26d0086aab. In this case, researchers discovered that attackers exploited the aggregate function to execute the transferForm function, withdrawing funds from the victim’s wallet after manipulating them into increasing their allowance for the Uniswap contract.

Similarly, Safe.global is also a leading platform for multi-signature wallets and has over $100 billion in assets. Cybercriminals exploit the Gnosis Safe framework by creating legitimate-looking proxy contacts. They then trick victims into engaging with these contracts, often by persuading them to increase the allowance for the proxy contract to manage their tokens.

Once granted this permission, attackers use the execTransaction function to conduct multiple fraudulent transactions, effectively draining the victim’s wallet.

“Similarly, they utilise the GnosisSafeProxy contract to create seemingly legitimate contracts, which are then used to perpetrate fraudulent schemes. This cunning manipulation of trusted protocols enhances the credibility of their scams and makes detection and prevention significantly more challenging,” explain researchers.

The Safe system allows the proxy contract to execute transactions via the master copy (singleton) using the delegatecall operation in Solidity. This setup ensures that transactions are only executed after receiving approvals from multiple owners, verified through signatures. However, if an attacker can manipulate the approval process, they can initiate unauthorised transfers.

Researchers have urged organisations to verify the legitimacy of contracts and their functions before approving them, avoid approving contracts solely based on the company’s perceived trustworthiness, and use official channels to ensure authenticity.

In the News: Meta given deadline to address EU for its “pay or consent” model

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>