Hackers have successfully stolen over $60 million worth of cryptocurrency from Ethereum wallets in a span of six months using Create2, a code component that allows pre-calculation of contract addresses. This alarming revelation was made by on-chain detective ScamSniffer, which has been closely monitoring the situation.
The Exploitation of Create2
According to ScamSniffer, the hackers have been capitalizing on Create2’s capability to generate new addresses for each malicious signature. When unsuspecting users send funds or engage with a contract, they are often prompted to “approve” a signature. The hackers discreetly embed unauthorized permissions within these signatures, enabling them to gain illicit access to users’ wallets.
“The hackers are taking advantage of Create2 to pre-calculate contract addresses and then use this ability to create new addresses for their nefarious activities. They are essentially exploiting the approval process by concealing unauthorized permissions within the signature, making it difficult for users to detect.” – ScamSniffer
Create2 is a widely-used component in platforms like Uniswap, as it allows prediction of a contract’s address even before it is deployed on the Ethereum network. ScamSniffer’s research, conducted in collaboration with SlowMist, reveals that approximately $60 million has been pilfered from around 99,000 victims within the past six months.
In another concerning development, ScamSniffer uncovered evidence of a separate hacking group also utilizing the Create2 code to steal $3 million from 11 victims since August. Shockingly, one individual alone lost almost $1.6 million.
“By exploiting the address calculation method of Create2, attackers can generate a large number of addresses offline. They then select addresses that closely resemble the targeted ones, allowing them to initiate counterfeit transfers for ‘address poisoning’.” – ScamSniffer
The Far-Reaching Impact
The repercussions of these cryptocurrency-related hacks and exploits are becoming increasingly severe. Poloniex, a leading cryptocurrency exchange, recently suffered a hot wallet breach resulting in a staggering $114 million loss. Additionally, in October, victims of the LastPass breach experienced losses amounting to $4.4 million in just one day.
Even major players like Binance have narrowly escaped falling victim to address poisoning. In a fortunate turn of events, Binance immediately detected an erroneous transaction of $20 million to a fake address and promptly requested the freezing of the transferred funds.
“Cryptocurrency-related hacks have become highly prevalent in recent times, posing a significant risk to the security and stability of the digital asset ecosystem.” – Changpeng Zhao
With the continuous advancement of technology, it is imperative that users remain vigilant and employ robust security measures to protect their valuable cryptocurrency holdings.