On May 26, a victim who had lost $6.91 million worth of 1,807 liquid-staked Ethereum managed to reclaim a substantial portion of the stolen assets from hackers. Blockchain analysis firm SlowMist’s co-founder Yu Xian disclosed that the Inferno Drainer phishing group used an offline authorization signature to steal nearly $7 million in Ethereum from the user.
How Did the Hack Happen?
The incident garnered significant attention when Scam Sniffer revealed that the victim had recovered 1,445 Ethereum, or 80% of the stolen funds, while the scammers kept a 20% reward. Analysts indicated that the breach involved a phishing attack, where a malicious actor used a legitimate off-chain authorization signature to transfer ERC-20 tokens from a wallet that did not belong to them.
According to SlowMist, the attack was made possible due to an overlooked feature in Ethereum permissions introduced by EIP-2612. This EIP allows users to interact with smart contracts without prior authorization, but the permission function can be executed by any account, irrespective of ownership.
What Are the Recommendations?
During the incident, if users had previously compromised their wallet signatures on phishing websites, scammers could still use the permission attack to drain tokens from their wallets without any approved transactions. To mitigate such risks, SlowMist advised:
Protecting Your Assets
- Regularly use authorization tools like RevokeCash to detect abnormal authorizations.
- Utilize Uniswap’s Permit2 authorization management tool.
- Immediately revoke any irregular authorizations detected during verification.
Despite these recommendations, not everyone sympathized with the victim. Renowned DeFi detective ZachXBT questioned how someone could fall for phishing attacks amounting to $638,000 last year and $6.9 million this year, suggesting negligence on the victim’s part.
In related news, cryptocurrency-related scams surged by 53% over the past year, with the FBI reporting that cryptocurrency investment scams accounted for 86% of all investment losses in the United States in 2023.
