Introduction: A recent scam scheme targeting Revoke users has emerged, resulting in the loss of funds in BNB tokens. This article sheds light on the details of the attack and provides insights from security experts at HAPI Labs on how individuals can safeguard themselves against such scams.
Understanding the Attack:
Following the hack of the Fantom bridge Multichain on July 7, users were advised to revoke permissions on associated smart contracts to prevent fund leakage. This led to a surge in activity on Revoke, the popular permission revocation service. However, users later reported receiving notifications of unauthorized upvotes on the Binance Smart Chain network, resulting in the deduction of up to $60 worth of BNB tokens from their wallets.
The Scammer’s Scheme:
The scam involved the mining of gas tokens by users, which were then immediately sent to the scammer. To avoid suspicion, the scammer disguised the mining costs as transaction fees. The scammer deployed a fake DAI token smart contract on the BSC network, manipulating the approve function to add upvotes to multiple wallets. The Revoke and Rabby security systems triggered transactions of tokens with upvotes, prompting users to revoke authorizations. However, revoking authorization from the fake DAIs also led to the parallel minting of $CHI gas tokens, resulting in the deduction of funds. The scammer then sold the gas tokens on the marketplace.
GasTokens were introduced in 2018 as a means to reduce gas costs on the Ethereum network through tokenization. By leveraging the gas refund feature, gas “batteries” could be created and consumed during periods of high network fees. However, while Ethereum disabled this feature in 2021, it still operates on BSC and a few other EVM networks, allowing $CHI to serve its intended purpose.
HAPI Labs security experts emphasize the importance of verifying the address of smart contracts when providing or revoking permissions. Verified addresses can be obtained from project websites or data aggregators. HAPI Labs also offers a checker tool to assess the risk rating of wallets or smart contracts. Revoke has implemented measures to block excessive gas-consuming upvotes and has hidden some fake permissions using native filters. Users are urging BSC to adopt measures similar to EIP-3529 to prevent future attacks. However, it is crucial to continually check smart contracts and wallet activity on all networks susceptible to gas attacks.
The crypto market remains a breeding ground for scams, with scammers exploiting every opportunity to drain unsuspecting users’ wallets. The Revoke case serves as a reminder to carefully review wallet transactions and smart contracts before engaging with any assets. Employing tools like HAPI Labs’ checker can offer an additional layer of protection. It’s important to stay vigilant, as other networks may also be vulnerable to similar gas attack schemes.