Immunefi
Published in

Immunefi

How Gas Swindlers Are Stealing From BNB Chain Users

The crypto space is a true wild west of adventure and despair. Fortunes are made and lost in an instant. In the darkest corner of this digital frontier are silent predators, waiting in the shadows for unsuspecting victims to become their next profitable feast. Recently, a peculiar and enterprising actor in this space caught my eye, a predator I shall label as the Gas Swindler. Come closer as I tell you about one of the emerging predators slowly evolving in the dark underbelly of crypto, preying on the residents of BNB Chain.

This article was written by Hephyrius.eth, an Immunefi Whitehat Scholar.

Background

Before we explain the ongoing assault on BNB Chain users, we need to lay some groundwork. Let’s begin by talking about gas and gas arbitrage. Gas is a fundamental part of any blockchain that utilizes the Ethereum Virtual Machine (EVM) for smart contracts. It acts as the fuel that ‘powers’ transactions. Each computational operation on the chain uses some amount of gas. Simple mathematical operations are the cheapest operations, while smart contract creation and storage writes are some of the most expensive. The costs of specific operations are defined in the fee schedule of the Ethereum Yellow Paper.

EVM Fee Schedule

The cost of a transaction executed on the EVM is the total gas used for the specific computations multiplied by the current market price for gas. In simple terms, when a network such as Ethereum is busy, the cost of gas is higher due to higher demand. This means that, depending on network conditions, two computationally identical transactions can have two very different costs paid in the chain’s native token.

Interestingly, the EVM originally provided refunds for reversing certain operations, such as clearing out storage and destroying smart contracts. This allowed a number of enterprising individuals to come up with a method of hedging fluctuations by storing gas when prices were low and then refunding it when prices were high, allowing them to hedge away some of the operational costs presented by volatile gas prices.

This storage of gas was tokenized and was tradeable, with three different tokens gaining traction on Ethereum: Gas Token 1, Gas Token 2, and Chi Gas Token. Whenever a user mints a gas token, they store some gas for later use. And when they burn a gas token as part of a transaction, they receive a refund. Essentially, a minter pays for gas at one point, so that they can have cheaper transactions later.

On the Ethereum chain where these tokens were born, the mechanisms that led to their birth also led to their downfall. Gas tokens led to the chain acting in a way that was too unreliable. The theoretical gas amount that actors could use in a transaction was dramatically increased by the use of refunds. This led to the inclusion of EIP3529 in the London hard fork which massively overhauled gas refunds and which rendered the tokens economically non-viable, at least on Ethereum.

Chi On the Smart Chain

BNB Chain is an EVM-based compatible chain. This means that the fundamental behaviors and fees outlined in the yellow paper also apply to the chain. As BNB is using a pre-London EVM, the gas refunds are still present on the chain. At some point in the past, an instance of the Chi Gas Token was deployed onto BNB by the DEX aggregator 1inch.

On BNB, the minimum gas price is also the gas price that most transactions are executed at, which is 5 gwei. Only users who need near-instant execution, for time-sensitive operations, such as liquidation or arbitrage, pay higher than this value. As such, the average user never comes in contact with gas tokens on the chain.

On BNB, The chi gas token has three primary markets that are all on the 1inch AMM. There is over $300,000 of paired liquidity available on the markets. The primary buyers of the gas token are bot operators who hope to reduce their operational costs when they execute high gas price transactions.

Gas Swindlers

The Swindlers Recipe

Figure 1. Overview of actions

Now that we understand the fundamentals of a gas token, we can explore the menace of pickpocketing occurring on BNB. The Swindler operates very methodically using a tried and tested recipe. Here is a high-level overview of what they are doing:

  1. Deploy a fake token
  2. Add some liquidity to an AMM
  3. Activate a honey pot
  4. Airdrop tokens to victims
  5. Mint gas tokens for approval and transfers of the fake token
  6. Withdraw and sell minted tokens
  7. Simulate fake buying volume
  8. Go to step 4
  9. Expand and start over from step 1

The Breakdown

The swindler deploys and airdrops a malicious token to recently active wallets on the chain. This token has some liquidity on an AMM which gives it some implied value. However, users cannot swap the token on the AMM, as the token is in fact a honeypot: it only allows users to buy the token but not sell it.

The key difference between the swindler and a regular honeypot is what happens when a user approves or transfers the gas token. Instead of doing what the user expects and allowing the AMM to transfer their tokens, the token is in fact using the user’s transaction gas in order to mint gas tokens.

The gas a user allocates to a transaction is usually estimated by their wallet, which means that the gas swindler’s token can signal that it needs a lot of gas, and the wallet will automatically set the value to something unrealistically high. This leads to the user spending dollars in transaction fees in the hopes of making a lot more back when they sell the token, such as in the transaction below:

An example of a victim

When the approval or transfer transaction occurs, the minted gas tokens are either sent to the gas swindler directly or stored in the swindling token contract for the swindler to withdraw at a later date. The swindler then sells these tokens on the 1inch liquidity pools for a handsome profit. The transaction below shows that this swindler made 5 BNB (~$1500) in a day from their swindling.

Illicit profits

Some swindlers will take the profits from a day of swindling and buy some of their own tokens on an AMM in order to give the impression that a token is active. The increasing buy pressure makes users think that the token is either worth apeing in on, or adds to the FOMO of selling as soon as possible in order to cash in on the free money. This lures more innocent victims to mint and leads to ever greater profits for the gas swindler.

Conclusion

The innocent citizens of BNB are naively having their gas, and by extension, their money, swindled from them due to being foolish enough to think that they would be given free money in the form of a token they’ve never heard of.

There seem to be gangs of swindlers operating in the dark, deploying dozens of new tokens every week, ensnaring those eager enough to chase their next big payday in the crypto gold rush.

The only way to beat the swindlers is to inform and educate your fellow crypto dwellers so that they know they should manually set the gas limit on token approvals of unfamiliar tokens, or that they should avoid them altogether.

The swindler is not the only menace hiding in the dark forests.

Stay alert fellow crypto frontiersmen.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.