Hackers stole more than $60 million worth of crypto in six months from Ethereum wallets with Create2, according to on-chain sleuth ScamSniffer.
On Sunday, X user ScamSniffer claimed that the hackers were taking advantage of Create2’s capability to pre-calculate contract addresses, allowing them to generate new addresses for each malicious signature.
When users send funds or engage with a contract, they are typically prompted to “approve” a signature. The hackers are exploiting this process by concealing unauthorized permissions within the signature, thereby gaining access to a user’s wallet.
The utilization of Create2 enables hackers to circumvent security alerts that would typically serve as a warning to users before they sign a signature.
Create2 is a code component employed by platforms such as Uniswap, allowing the prediction of a contract’s address before it is actually deployed on the Ethereum network.
Research conducted by ScamSniffer and SlowMist suggests that approximately $60 million has been pilfered from roughly 99,000 victims over the last six months. ScamSniffer additionally reported that another hacking group has been utilizing the Create2 code to abscond with $3 million from 11 victims since August, with one individual losing nearly $1.6 million.
By leveraging the address calculation method of Create2, attackers can proactively generate a significant number of addresses offline. Subsequently, they extract addresses that closely resemble the targeted ones, enabling them to initiate counterfeit transfers for the purpose of “address poisoning.”
Binance was almost another recent victim of address poisoning. In August, Binance sent $20 million to a fake address. However, the company noticed the error right after the transaction and was able to request the transferred USDT to be frozen in time, according to founder Changpeng Zhao.
Cryptocurrency-related hacks and exploits have witnessed a surge in recent months, exemplified by the recent hot wallet breach at Poloniex, resulting in a loss of $114 million. Additionally, victims of the LastPass breach experienced losses amounting to $4.4 million in a single day in October.
Read the full article here