Infosec researchers are noting rising cryptocurrency attacks and have encouraged wallet security providers to up their collective game.
Introduced in 2019, CREATE2 is seen as a significant advancement for Ethereum, allowing for more efficient deployments of smart contracts - the technology that validates transactions on the blockchain.
CREATE2 is also the function that's being exploited by attackers to drain tokens from victims' wallets.
One of its key capabilities is being able to deploy smart contracts to pre-determined addresses, making the entire process more predictable for the blockchain when dealing with multiple contract interactions across the ecosystem of decentralized applications.
By pre-determined, it means that an attacker can create temporary, single-use addresses to receive a victim's assets.
New addresses can be used for each attack, and this is crucial because wallet security providers rely on previously held data to flag potentially malicious transactions.
The fact that attackers can set up a contract before deploying it, using a wallet address that doesn't have a history of malicious activity, means that if they can get the victim to approve a contract they can drain their funds.
This attack works, and has facilitated huge single-transaction scams in recent times.
The researchers highlighted one fraud in January that saw attackers make off with $3.6 million worth of SuperVerse tokens in one fell swoop as an example of how serious these incidents can be for victims.
Remember: with blockchains, there is no legal recourse and no customer helpline to recover funds.
First, an attacker needs to get a victim to approve a contract that hasn't yet been deployed - the bit that requires social engineering.
They then use CREATE2's ability to generate new contract addresses to receive the funds and deploy the malicious contract, complete with the victim's authorization, in turn draining the victim's wallet.
The key part here is the generation of a new wallet address, one that has no history of being reported for criminal intentions.
CREATE2 generates this using a calculation that includes four parameters: the attacker's wallet address, a constant prefix, a salt, and an initialization code.
This address will be created only when the victim approves the contract, meaning it's never been used before for any illicit dealings, and won't be used again, thereby bypassing the security protections that usually monitor such transactions.
Towards the back end of 2023, we saw a string of high-profile wallet-draining attacks netting cybercriminals hefty sums, and the attacks weren't localized to just the Ethereum blockchain either.
Justin Sun, founder of the Tron Foundation and owner of Poloniex, a crypto exchange that was drained of circa $120 million in November, offered a reward for the attackers at the time to return the funds they stole.
The Monero Project was also mysteriously drained of nearly half a million dollars just days before, and 5,000 Atomic Wallet users were drained earlier in the year - just a few of the high-profile incidents that took place in 2023.
While not all of these have been directly attributed to CREATE2 exploits, researchers told The Register that it seems like North Korea's state-sponsored Lazarus gang may have been behind a sizable proportion of them.
The web3 anti-scam solution provider ScamSniffer analyzed a series of CREATE2 incidents between May and November 2023, concluding that almost $60 million had been stolen from around 99,000 victims.
This Cyber News was published on go.theregister.com. Publication date: Tue, 19 Mar 2024 14:43:06 +0000