Original title: "Vitalik's account was hacked and phishing information was released. In addition to phishing attacks, what other ways of defrauding funds are worthy of users' vigilance? "

Original source: Beosin

On September 10, Ethereum co-founder Vitalik Buterin's X platform (formerly Twitter) account was hacked and a phishing link was released, which contained a free link to receive a commemorative NFT about Danksharding. Although the tweet was about to be deleted, the hacker still stole about $700,000 in funds.

Earlier in July, Uniswap founder Hayden Adams' X platform (formerly Twitter) account was also hacked and tweeted containing phishing links. It can be seen that a large number of security incidents such as phishing attacks are still frequent in the blockchain ecosystem recently.

Beosin has previously explained phishing attacks in detail. Please read: UNIBOT is on fire. How to prevent Telegram attacks? Phishing and scams related to robots? Signature is stolen? Please be vigilant if you have used Uniswap! Revealing Permit2 signature phishing

In addition to phishing attacks, what other ways of defrauding funds should users be wary of? Recently, the Beosin team found that running away and price manipulation incidents also caused great losses to users' funds.

As blockchain technology becomes more and more mature, code-level problems are becoming less and less common, and are more inclined to scams and problems in business logic. In this article, we will take stock of common fund security issues in recent times to help users fundamentally avoid some funds being defrauded.

In recent incidents of running away and fraud, the manipulators mainly used contract backdoors, Pixiu disks and other methods to defraud funds. In fact, users can avoid this type of method. The main thing is to understand how the contract operates and the principles of the code. We will use recent projects to illustrate and summarize the characteristics of this type of scam.

1. Project backdoor precautions

1. Privileged address to modify balance

Generally, scam projects will have a privileged address, which can be minted, burned or set other people's balances at will. Such projects have the risk of running away. When users use a large amount of funds to purchase project tokens, the project party directly exchanges all the value coins through the privileged function, causing the value of the project tokens to return to zero.

Take the CUZK project code as an example:

There is a backdoor in the CUZK token contract. The privileged address can directly set tokens that exceed the total supply for its own account, as shown in the following code:

The ccvipaaaqqq() function will add a huge amount of CUZK tokens to the caller, and finally determine whether the caller is ciyuAdmintmrr. The address is the address set by the creator when the contract is initialized (0xf719).

The project party added a huge amount of tokens to itself (0xf719) by calling the ccvipaaaqqq() function.

Then, the privileged address used the set token to exchange all WBNB in the pair, causing the CUZK price to return to zero.

2. Hidden backdoor, indirectly adding balance

There are also some projects that do not have the function of directly manipulating the address token balance, but the privileged address can indirectly obtain a large number of tokens, thereby exchanging all the value coins, causing the token price to return to zero.

Take the Flashmall project on the BNB chain as an example:

The FlashMall contract has a setPointRate function for setting the exchange rate, which can only be called by the privileged address.

This runaway incident is mainly divided into the following steps:

Set the exchange rate ->Exchange ->Set the exchange rate ->Exchange

The following are the detailed steps:

1. The privileged address setting rate is 10000.

2.0x613C address can exchange MUSD for 10 times MCoin.

3. The privileged address setting rate is 1000.

4.0x613C address can exchange MCoin for the same amount of MUSD.

5. Through multiple conversions, 0x613C has a large amount of MUSD, and finally exchanges all USDT.

The following is the exchange code for MCoin and MUSD, the amount is determined by pointRate.

Summary: Whether a contract has a backdoor depends mainly on whether there is a privileged function that can manipulate tokens at any address, or whether there is a logic function for issuing tokens at a privileged address. In addition, if the project party owns most of the liquidity vouchers, then running away may also occur. Users can judge the degree of risk by checking whether the contract abandons the privileged address, or whether the privileged address is a contract address for a normal business. At the same time, check whether the liquidity voucher is owned by the EOA account or the normal business contract.

Second, Pixiu Project Scam

The characteristics of this type of project are mainly reflected in the ability to purchase project tokens, but when users want to sell, the transaction will report an error. The main manifestation of this type of scam contract code is that when the token is transferred for the first time, some contract states will be set, and then the transfer will no longer be possible, resulting in users buying tokens, setting the contract state, and then being unable to sell.

Take the fake EDU token project as an example:

The contract address of this project is 0x4749, which is the EDU project with the same name. The token owner (0xac15) buys and sells tokens in the EDU pair 0xE3f2 address, and sends the tokens to the Binance wallet and exchange, creating the illusion that many people are involved (as shown in the figure below).

In the following code, after the first transfer (buy coins), tokenGreylist[to] (to is the user address) will be set to true, but because the whitelist address status in the code is not public, the transfer function cannot be called a second time, and the switch status and whitelist address are controlled by the owner. For users participating in this project, they cannot sell tokens by default.

Summary: The feature of the Pixiu disk project is that it can be bought but not sold. By checking the actual logic of transfer and transferfrom, we can see if there are any mutually restrictive conditions. Those with technical conditions can simulate and execute related functions locally.

Original link

欢迎加入律动 BlockBeats 官方社群：

Telegram 订阅群：https://t.me/theblockbeats

Telegram 交流群：https://t.me/BlockBeats_App

Twitter 官方账号：https://twitter.com/BlockBeatsAsia