Blockchain Security: Phishing Scams and Contract Exploitation

Part 1: Phishing scams

Blockchain security has long being praised for removing Middle-Men organizations with personal interests from global transactions. While in theory, this promotes a fairer decentralized system, it also nurtures an environment where nefarious actors can thrive and exploit consumers with little to no repercussions.

While it is true that Blockchain transactions are secure, it only really protects you from man-in-the-middle attacks. That is from some exploit to hijack your transaction while it is processing. Unfortunately the majority of “Hacking” is not done through lines of code, but instead it is much more effective when social engineering is used.

Now what is social engineering? Simply put, it means tricking people into willingly giving you access to their wallets. Unfortunately this is the Blockchain’s major vulnerability.

Typical banking and credit systems offer protection from these kind of scams. If you fall for one , you can file a report with your bank or your credit card company and they will help you resolve the issue.

With Blockchain transactions there is no such protection offered. It is up to the consumer to make sure any transaction they authorize is legitimate.

One of the most effective ways of tricking people has been through Phishing scams. We have seen a perfect example of them be extremely effective during the OpenSea contract migration.

If you are unfamiliar with what happened, OpenSea had to migrate their users to a new contract in order to update functionality and security concerns. They sent an email blast to their users to migrate their current listings through a migration smart-contract. That specific email had a hyperlink that would send the user to their migration interface.

What this scammer did was to spoof Opensea’s email address and send out another email blast a few days after to the same email list of users. However, this scammer hyperlink redirected users to a nefarious site which had a Smart-Contract that would permit them to infiltrate user’s wallets and drain them of everything. Suddenly, millions of dollars worth of speculative assets were drained of victim’s wallets. How did this happen? Because the major security flaw when it comes to the Blockchain is the human sitting in front of the screen. The victims of this phishing attack just did not read the contract and didn’t bother checking the validity of the contract on etherscan.

If the victims would’ve done their due diligence, this would’ve never happened. Here is a sample of the contract transacitons in question. One quick glance would’ve been a dead giveaway that this contract was a scam:

What are the lessons to learn from this?

1. Always make sure to verify that every contract is legitimate before you accept them to interact with your contract.
2. After you have interacted with a contract, revoke its access to your wallet.
3. Never use external links. While annoying it is always better for you to manually go to the official pages of projects or marketplaces.

Part 2: Smart-Contract Exploitation

While we like to think that Blockchain communities are run with the best interest in mind for their users, this does not prevent them from willingly or unwillingly publish smart-contracts with security flaws. In a typical development setting, if some code has been published with a security flaw in it, the solution is to hot fix the exploit and deploy a patch to the current system.

This is not possible when we are dealing with smart-contracts. Once a smart contract is deployed on any chain, it is immutable. This means that the code hosted on a chain’s node it is there forever.

The only way to change a contract’s functionality is to re-deploy a fixed contract and hope that the consumers migrate to the new contract.

The TreasureDao exploit is a perfect example of this. Nefarious actors found an exploit where they could mint NFTs for free.

While the exploiters actions are obviously morally wrong, I believe that this is entirely the fault of the contract provider. Unfortunately the ones paying the price are the creators and the consumers.

This again is a product of the push for decentralization. The consumer has no protection. We must hold dApp creators accountable and have their products subject to rigorous testing and proven security protocols.

What do I mean about that?

1. I mean having smart-contract subjected through a series tests where the results are published to the public.
2. Providing extra security layers through their dApps with systems like AuthO, capcha, secured API calls.
3. Have only the necessary functionality hosted on the smart-contract. This way if there’s a security concern with external functionality, it can be easily patched and deployed.

As a consumer you should always ask about security protocols put in place in the projects you are backing. After all, you technically own a piece of that project and it should serve your best interests.

Remember this field is the wild wild west. You should protect your neck.

Stay safe,

— Spicekus