Malicious actors send forged transactions to crypto exchanges, which platforms erroneously identify as legitimate deposits and credit funds to accounts. SlowMist researchers disclosed this type of attack.
“It should be noted that attacks through fake deposits are not blockchain vulnerabilities. Instead, attackers use certain network characteristics to create special transactions,” the experts noted.
According to them, the hackers’ objective is to exploit bugs and systemic errors in exchange deposit-processing mechanisms.
Since 2018, SlowMist researchers have identified several variants of such attacks, including:
- the transaction appears in the mempool but is not included in a block due to its replacement by the attacker;
- the operation gets mined into a block but is not executed due to a deliberately incorrect logic parameter;
- the transfer is counted multiple times (double spend);
- a network fork in which the block and its transactions are deemed invalid;
- reversal of a transfer.
The last method was demonstrated by attackers using TON tokens, leveraging blockchain properties, the experts noted. Practically all internal messages between smart contracts in this network should be “rejectable.” As a result, the hackers, by initiating a transaction to an account without a contract and enabling the “return” option, recover their funds, minus fees. At the same time, the exchange manages to credit the revoked transfer to them, SlowMist noted.
To guard against fake-deposit attacks, the firm recommended several measures for trading platforms, such as:
- the implementation of a multi-confirmation mechanism;
- rigorous transaction reconciliation;
- the creation of a risk-control system;
- manual review of large transfers;
- temporary limits on withdrawing deposited funds.
In July, the company’s experts reported the discovery of a phishing program in the App Store aimed at stealing user data and cryptocurrencies.