Insights - Bitpanda Custody

Security News - Spam Transactions On ERC-20 Tokens (Including USDT/USDC)

Written by Bitpanda | Dec 4, 2024 12:27:38 PM

Be Aware Of Spam Transactions On USDC/USDT 

Hackers are always looking for new ways to exploit crypto. Custodians like ourselves secure private keys with better security and protection and that it has driven them to look for new ways to steal funds.  

You will, of course, be aware of the various social engineering scams, the URL spoofing of well know protocols and other creative methods being utilized right now.

We have identified a new method that we want you to be aware of. There has been a recent spate of "spam" transactions that have been sent on the Ethereum blockchain. These appear to be focused on USDC and USDC contracts.

The on-chain contracts for USDC/USDT (which we don’t control) allow spammers to run ‘pull’ transfer requests. Should the spammer try to "pull" a non-zero amount of tokens, the transaction would (correctly) fail.

Instead, they are trying to pull zero tokens and this actually creates a transaction even though there is nothing actually being transferred.

The spammers are doing this are using wallet addresses that look similar to ones you have sent to in the past. We believe the reason for this is to hope you will send a real transfer of USDC/USDT to their address by mistake in the future.

How many times have you only ever checked the last four or five digits of an address before confirming a transaction? Best practices dictate you check the entire address. Sometimes a corner may be cut, and this is where an exploit like this could catch you out.

These transactions are initiated by a third party in an attempt to confuse the addresses that you send to. It’s important to note that your funds are safe, and this is not a direct security issue. 

The only risk to your cryptoassets is if you were to use one of these spammers' addresses instead of the real one.

 

Sample Transactions

This is a valid transaction for 10,000 USDC to: 0xc0485e5d3fab6ca12ec55594cb8c0f1f9adaae0b

This is spam transaction for 0 USDC to: 0x46443c0bb379a20767168c02954eaadc1adaae0b

 

In this example, the spam address has no initial characters matching the "real" to address, but the last seven are the same. This could trick someone into believing its correct.

Both transactions appear to send tokens from address: 0x6be602bad7d5f7033b7d4a6040e5d67e458c4b4a whereas in fact, only the first has sent tokens (10,000). The 2nd, although looking very similar, has sent 0 tokens.

 

 What to do to protect yourself

To avoid this, please:

    • Be very careful when using any transaction list as the source of addresses as these spam transactions WILL show up

    • Be wary of copying / pasting addresses from untrusted sources

    • When checking addresses, check the full address and not just the first x digits and last y digits

    • Use additional checks when signing transactions. If you have a mulitsig wallet policy, ensure each user performs additional checks on the address

If you would like to enhance your crypto custody security with segregated wallets, custom rules, transaction thresholds and multisig, get in touch with us to learn more.

 

 

If you are an existing customer, contact us if you'd like to discuss further options or you are concerned about any transactions from your wallet by emailing us at help@bitpandacustody.com or learn more about this attack vector on our help page here.

 

Related readings

24 Questions Investors Must Ask Their Crypto Fund

Trustology Acquired By Bitpanda

Trustology Gets Full FCA Registration as Cryptoassets Firm

TrustVault. The Safest Crypto Account for Institutional Investors

High Yields Ahead - New Voyager DeFi Fund Backed By Trustology Custody

 

TrustTalks

Stay up-to-date with the latest crypto news and events with Bitpanda Custody. Over 2000 subscribers receive our monthly roundup of what made the headlines, upcoming events that institutions need to know about and the latest developments in crypto custody and to our TrustVault platform. Be in the know, sign up today.