Scammers burn crypto and re-configure smart contracts to steal millions

0 0

By Matthew Griffin Security and Privacy 13th September 2022

WHY THIS MATTERS IN BRIEF

When scammers re-configure crypto and blockchain smart contracts your money is gone forever the instant you transfer it.

Love the Exponential Future? Join our XPotential Community, future proof yourself with courses from XPotential University, read about exponential tech and trends, connect, watch a keynote, or browse my blog.

2021 saw an all-time high in crypto-related crimes, with scammers getting hold of $14 billion in cryptocurrency. The rise in fraud and scams, as well as Ransomwasre, correlates to the immense growth of activity within cryptocurrencies worldwide.

Baltimore becomes the first US city to be watched from the air 24/7

Recent company announcements and developments have also shown an increased interest in cryptocurrencies. For example, PayPal is considering a launch of its own cryptocurrency, Facebook has rebranded to Meta, and MasterCard announced that partners on its network can enable their consumers to buy, sell and hold cryptocurrency using a digital wallet.

The Future of Cyber Security, by Keynote Matthew Griffin

In addition, Disney wants to build a metaverse, Nike bought an NFT company, Starbucks customers can now use the new Bakkt app to pay for drinks and goods at the chain’s coffee shops with converted Bitcoin.

Funds are flowing towards crypto like water flows downhill, and thus it’s no wonder hackers are targeting cryptocurrencies with researchers like Check Point Research (CPR) saying that hackers are now abusing misconfigurations in smart contracts to launch attacks known as token “rug pulls.”

America launches the worlds first fully autonomous submarine hunter

Rug pulls occur when crypto or virtual asset project developers manipulate a token’s perceived worth and then abandon the project – taking investor funds with them.

A recent example is the SQUID token, which saw the token reach $2,850 in value at its peak. Once the developers’ rug pulled and prevented traders from selling, the coin crashed by over 99.99%, rendering it basically worthless while netting the developers millions of dollars.

Some indicators of a potential token scam include 99% buy fees and mechanisms that prevent investors from reselling. According to the researchers, flaws in smart contract code and vulnerabilities can also be harnessed by external attackers to increase the risk of a project losing investor money.

Fraudsters employ a range of tactics to conduct a rug pull, including the use of scam services to create smart contracts, which are then issued a new token name and symbol before becoming public. The manipulation of functions to create hidden triggers to launch a rug pull may also be included.

PayPal code reveals the company might be creating its own Stablecoin cryptocurrency

Social media networks, as well as deepfakes and hijacked and stolen social media accounts, are then used to hype up a token – and its perceived value – before an exit scam occurs. In addition, time locks are not usually imposed.

“Timelocks are mostly used to delay administrative actions and are generally considered a strong indicator that a project is legitimate,” the researchers noted.

Buy and sell fees are a common technique for rug pulls. In a smart contract examined by CPR, the firm discovered both “Approve” and “Aprove” functions. The former was a legitimate, standard function for contract transactions, whereas the second, “Aprove,” was hidden and designed to allow the developers to impose 99% fees after a project took off.

“A legitimate token will not charge fees or will charge hardcoded values that can’t be adjusted by the developer,” CPR says.

Researchers successfully weaponise AI to create a "Biometric master key"

Another example of potential scam mechanisms is a hidden function that allows developers to create more coins or control who can sell tokens. In the source code of a basketball-themed smart contract, the team found a transfer function that prevented reselling by average traders – a similar element used by SQUID.

A function found in a separate contract that allowed an attacker exploited coin minting after the contract’s private key was accidentally leaked online. A threat actor was able to use the key to fraudulently mint millions of virtual coins before withdrawing them. In the same contract, an error in emergency withdrawal functions was also exploited.

Attackers may also burn tokens to ramp up the price of existing pools. A failure to limit external burns in the Zenon Network was exploited in 2021, leading to a pool drain and the theft of over $814,000 from the project.

China's national digital currency is now available on WeChat

“It’s hard to ignore the appeal of crypto,” CPR says. “It’s a shiny new thing that promises to change the world, and if prices continue on their upward trajectory, people have an opportunity to win a significant amount of money. However, cryptocurrency is a volatile market. Scammers will always find new ways to steal your money using cryptocurrency.”

Matthew Griffin / About Author

Matthew Griffin, described as “The Adviser behind the Advisers” and a “Young Kurzweil,” is the founder and CEO of the World Futures Forum and the 311 Institute, a global Futures and Deep Futures consultancy working across the next 50 years, and is an award winning futurist, and author of “Codex of the Future” series.

Regularly featured in the global media, including AP, BBC, Bloomberg, CNBC, Discovery, RT, Viacom, and WIRED, Matthew’s ability to identify, track, and explain the impacts of hundreds of revolutionary emerging technologies on global culture, industry and society, is unparalleled. Recognised for the past six years as one of the world’s foremost futurists, innovation and strategy experts Matthew is an international speaker who helps governments, investors, multi-nationals and regulators around the world envision, build and lead an inclusive, sustainable future.

A rare talent Matthew’s recent work includes mentoring Lunar XPrize teams, re-envisioning global education and training with the G20, and helping the world’s largest organisations envision and ideate the future of their products and services, industries, and countries.

Matthew's clients include three Prime Ministers and several governments, including the G7, Accenture, Aon, Bain & Co, BCG, Credit Suisse, Dell EMC, Dentons, Deloitte, E&Y, GEMS, Huawei, JPMorgan Chase, KPMG, Lego, McKinsey, PWC, Qualcomm, SAP, Samsung, Sopra Steria, T-Mobile, and many more.