How to protect your wallet against advanced scam?

Photo - How to protect your wallet against advanced scam?
The realm of cryptocurrency still echoes the lawlessness of the Wild West, with over $20 billion in tokens and coins falling into the hands of thieves in 2022 alone. To shield yourself from becoming as easy a target as a gold-laden stagecoach, it's essential to follow a series of subtle yet powerful guidelines designed to protect your wealth.
Chainalysis reports reveal a staggering 89% of all attacks are directed at DeFi protocols, with cross-chain applications — platforms that facilitate crypto trading across multiple blockchains — being particularly vulnerable. To steer clear of becoming a statistic in this bleak scenario, it's crucial to adhere to a set of straightforward yet vital precautions. 

Maintain the confidentiality of your wallet address. Publicizing your wallet address is a surefire way to compromise your anonymity. In the hands of a malevolent actor, your wallet address becomes a tool to trace fund movements, establish links to other addresses, and surveil your real-time activities, setting the stage for a calculated attack. Although a public address alone doesn't offer hackers direct access to your wallet, safeguarding it from public view plays a crucial role in thwarting potential attacks, particularly those involving social engineering. 

Examine smart contracts meticulously before affixing your signature. Certain cryptocurrency wallets, such as TronLink, necessitate a thorough review of the smart contract’s key clauses prior to signing. 

Certain attacks exploit a tactic where a cryptocurrency exchange contract is swapped out, compelling the unsuspecting user to send the entirety of a random coin to the attacker’s address. This anomaly is detectable; discrepancies will appear in the smart contract prompt, both between the coins being sent and exchanged, and in the total amount being transferred.

Validate the smart contract through a reputable audit service. With the smart contract's public address in your possession, an independent audit service like Certik Skynet stands ready to scrutinize its integrity. 

This explorer aggregates an array of security-related metrics, audit results, and data reflecting the influence of GitHub library updates on community engagement — all in one centralized location. If the smart contract’s safety indicators are flashing red, it’s wise to distance yourself from any potential transactions. 

Vet the dApps you're working with. Addressing this point can resolve a third of the issues linked to wallet hacks and cryptocurrency theft.

Discerning the differences: Connecting vs. Granting Privileges in crypto wallet-dApp interactions:

  • Connecting via Wallet Connect: This doesn’t implicitly grant permission for token transfers without your express consent. Each transaction request from the dApp requires your manual approval or rejection. 
  • Granting privileges (Approvals): This aspect involves authorizing a third-party application to send tokens on your behalf. When your wallet’s interface displays a term akin to “Approve,” it’s time to pause and meticulously consider to whom you’re granting these rights and for what specific purpose.

Before you approve a smart contract, it’s essential to consider several critical questions: 
  • Is the approval you are granting absolutely required for the application to function? 
  • Does the token in the request match the token associated with the project?
  • Is the token amount in sync with your initial request?
  • Does your request differ in type? For instance, you may have intended to swap a coin, but the contract seems to suggest a transfer of rights to something else. 

A sample of a deceptive smart contract's code, annotated for your understanding

Typically, such operations are conducted using the vestingGrant() function, which defines the addresses of both the sender and the recipient. By affixing your signature to such a smart contract, you are, in essence, authorizing the withdrawal of crypto assets to another person's address. 
Conceptual manipulation through the vestingGrant function | Source: Etherscan.io

Conceptual manipulation through the vestingGrant function | Source: Etherscan.io

Bear in mind, there are more cunning tactics to attack a wallet via a smart contract. 

A fundamental precautionary step is to Google the smart contract's address you intend to interact with. It's quite straightforward: if you cannot find a whitepaper, the project's official homepage, or any documentation explaining the tokenomics, it’s highly likely that you are dealing with a scam. 
Example of token address tracking | Source: Google.com

Example of token address tracking | Source: Google.com

The subsequent step involves scrutinizing the token’s code. Normally, explorers like Etherscan display whether or not a token's code has been verified. If this option is unavailable and the website suggests that you verify it yourself, be cautious—this is a red flag, and you are likely faced with a scam. Fraudulent tokens' codes are often unverified to avoid being marked as dangerous. 
Example of an unverified token code | Source: Etherscan.io

Example of an unverified token code | Source: Etherscan.io

Before dealing with a suspicious token, make sure it actually exists. Check for the coin on CoinGecko, in the dApp Radar list, on TronScan, or search across various blockchains using Blockchair.

Also, ensure that the address you’re about to deal with is not blacklisted. You can do this by using the open repository on GitHub, which dApp Radar utilizes to filter its projects: 
  • Known suspicious addresses on the Binance Blockchain.
  • Scam tokens in the Ethereum network. 
  • Addresses of dubious coins on Polygon. 

Leverage automated token verification services

Take advantage of services like TokenSniffer, an automated express-analysis tool for assessing tokens for common types of attacks. It’s integrated into the WEB3 AML service package from Solidus Labs and remains fully public and free to use. If a token scores below 50, it's likely a scam, though some triggers could be attributed to flaws in the project you are engaging with. 

Another valuable tool is honeypot.is, which allows you to check a token for pre-existing vulnerabilities that could be exploited by scammers to steal your crypto. Similarly, DEXTools offers a set of tools that build trust metrics for a project based on hidden checks.

The setApprovalForAll() function in attack attempts

Typically, this function comes into play when you’re in the process of minting your NFT on a marketplace or while authenticating through a wallet on platforms such as OpenSea or Blur. In these situations, the function enables the NFT marketplace to move tokens from your wallet to that of the buyer following a sale. By activating this, you are granting the smart contract the authority to send any amount of a specific token anywhere it pleases.. 

If the platform you’re connecting your wallet to happens to be compromised, attackers could immediately withdraw your funds. This kind of attack is commonly seen in applications, platforms, and decentralized apps (dApps) associated with NFTs. 

Below is an example of what it looks like when the setApprovalForAll() function is triggered. If the smart contract window displays a well-known NFT marketplace, things should be safe. However, if you notice typos in the website’s name in this field, there's a high chance you’re being targeted in a scam attempt.
Example of the proper usage of setApprovalForAll() | Source: Coinsbench.com

Example of the proper usage of setApprovalForAll() | Source: Coinsbench.com

So, what does a wallet hack via setApprovalForAll() look like on the blockchain? 

Let’s take the address 0xAa8A064f79a75F91B5aF5Ba75bD5382d1185F1F7 as an example. This address, after five failed attempts, eventually succeeded in signing a transaction through a fake NFT pre-mint website. 
Example of a smart contract signature that transfers wallet ownership rights | Source: Etherscan.io

Example of a smart contract signature that transfers wallet ownership rights | Source: Etherscan.io

As a result, all the funds in the wallet owner’s possession start getting transferred to various dummy addresses. Someone even went to the lengths of renaming the scammer’s addresses, marking them as “thief” and “scammer” in Russian.
The aftermath of a setApprovalForAll() attack displayed on the blockchain | Source: Etherscan.io

The aftermath of a setApprovalForAll() attack displayed on the blockchain | Source: Etherscan.io

Why is this method so effective?

Well, it has gained quite a bit of traction. In April 2022, users of the Bored Ape Yacht Club fell prey to this kind of scheme. An attacker had managed to hack into the project’s Instagram account and posted a link to a fraudulent website hosting an airdrop. The website in question prompted users to sign a contract with the setApprovalForAll() function, which didn't raise any red flags since it is a necessary step for the proper transfer of minted NFTs.
The Bored Ape Yacht Club hack via setApprovalForAll() | Source: X.com/BoredApeYC

The Bored Ape Yacht Club hack via setApprovalForAll() | Source: X.com/BoredApeYC

To safeguard yourself from such hacks, make sure to meticulously inspect the smart contract signature window: if you see setApprovalForAll in the transaction pane, it’s a red flag, indicating a possible scam. The same caution should be applied if you encounter the SafeTransferFrom function during a transfer signature. 

An example of an irreversible wallet attack

After the contract is signed, a new address gets added to the list of wallet owners and trustees. This address then gains the ability to approve or reject transactions, effectively converting the wallet into a multi-signature one, where ownership is shared by more than one entity. 

After a wallet has been compromised in such a manner, there’s no turning back; it cannot be recovered. However, there is a way to safeguard against this type of attack. Simply add one of your own addresses as an additional owner to your wallet. Yes, it means you'll need additional signatures for transactions, but it’s a small price to pay to secure your wallet against future thefts.

And of course, always keep your seed phrase safe and secure. No matter what pretext is given, remember the golden rule: “Not your keys, not your coins.”

Store your crypto assets in various wallets

It might seem obvious, but it truly is effective advice. Make use of different wallets when interacting with dApps and distributing your funds. This strategy ensures that you always have a specific address available to assess the risks of uncertain projects and to deal with potentially unsafe websites. If everything proves to be secure and nothing untoward happens with your trial wallet, then it’s safe to proceed with using your main one. 

What to do if your crypto wallet is compromised?

The first 24 hours following a theft are crucial. During this time, you still have the opportunity to track the movement of your tokens on the blockchain and engage the support teams of the platforms they pass through. 

To begin, gather all possible evidence of the theft: screenshots of conversations with the attacker, addresses of the smart contracts involved, and proof of the coins being withdrawn from your wallet. Make sure to obtain the transaction hash for every action the thief carried out, and document the token hashes involved in these transactions.. 

Using a blockchain explorer, follow the path of the tokens on your own. If they pass through swappers or exchange platforms that offer customer support, get in touch with them immediately. Attach your theft evidence to your message and request them to flag the tokens as suspicious. This can be a significant help in any potential legal proceedings and can expedite the cryptocurrency freezing process, especially in the case of stablecoins. 

In situations where funds have been withdrawn through USDT, you have the option to lock them in the scammer’s wallet, but you need to act swiftly and contact Tether directly. Resolving this issue without your active involvement could take more than a month. While private specialists might be able to resolve the situation faster, they will only collaborate if the amount of damage is substantial enough to warrant their service fee..