Binance smart chain and 0 dollars transactions attack

[vv181]

Interesting and out of mind!

The smart contract token implementation should not make this scenario possible, it is faulty at its finest. Logically, on the first hand, a system should not allow any transactions that is solely based on balance checking as mentioned on the StackExchange:

if balance - amountToTransfer is not negative then allow it and 0 - 0 is not negative

This means

    Account A can send 0 tokens to account B. even if account A has 0 tokens
    Account C can send 0 tokens from any Account to any other Account even without approval.

I lost by this vulnerability 100000 dollars.
https://bitcointalk.org/index.php?topic=5425022.0

I wonder whether it is the norm to use the last withdrawal transaction address from your wallet. Because beforehand, I could not think of any users who do that. Nevertheless, alas! you are the one who gets scammed because of this faulty mechanism.

[1714710288]

1714710288

[JunkieMiner]

I made a transaction today from my Trustwallet to my MEXC Account of around 300$, after the transaction occurs, at the same time 0 USDT has been transferred from my Trust wallet account to that MEXC Account, which I had already sent the 300$. Strange! then I checked the transaction that was the same as my MEXC Account.

[oliver_g]

I made a transaction today from my Trustwallet to my MEXC Account of around 300$, after the transaction occurs, at the same time 0 USDT has been transferred from my Trust wallet

Can you give link to your transaction on bscscan?

[zasad@]

Finally I found a good explanation for this attack

Address Poisoning Attack, A continuing Threat
https://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M
"As of December 2, the number of attacks on the BSC and ETH chains exceeded 290,000 and 40,000, respectively, and the number of independent addresses affected by the attacks exceeded 150,000 and 36,000, respectively."

You can say thank you to the user Ratimov
https://bitcointalk.org/index.php?topic=5425735.msg61392318#msg61392318
You need to be careful and check the addresses more carefully.

[MikkisJ]

And please explain to me why i can't find info on something even related to this or why no one is talking about this?

Because it's a new attack. And there are people discussing it, you just don't even bother to check.

Can you also sign messages with other people's wallets while you are at it?

I told you, only 0 token transaction is possible without your keys. Signing is not possible. Why do you keep asking these stupid questions?

[kelonmusk]

The OP lacks details explaining the question. According to my analysis, the scenario is like this (correct if you have another opinion):

First, the attacker steals your address's private key. (This is how he gets your token.) This is impossible.

Second, the attacker creates a transaction that transfers all of your tokens to his own address, which is similar to yours. (The attacker has now taken your token without giving you anything in return.)

In the third, the attacker sends a transaction of 0 tokens from your address to his own address. (This is what makes it look like you sent the token to the scammer yourself.)

[MikkisJ]

The OP lacks details explaining the question. According to my analysis, the scenario is like this (correct if you have another opinion):

First, the attacker steals your address's private key. (This is how he gets your token.) This is impossible.

Second, the attacker creates a transaction that transfers all of your tokens to his own address, which is similar to yours. (The attacker has now taken your token without giving you anything in return.)

In the third, the attacker sends a transaction of 0 tokens from your address to his own address. (This is what makes it look like you sent the token to the scammer yourself.)

You have to read other posts in the thread. Your scenario is wrong. The explanation is a few posts above.

Read this
https://bitcointalk.org/index.php?topic=5424680.msg61397716#msg61397716

[o48o]

-cut-
Because it's a new attack. And there are people discussing it, you just don't even bother to check.
-cut-

I stand corrected, but bothering to check? You didn't provide any links to places where people were discussing about it. zasad@ did, about a week after my post that you are now answering to.

So yes, both of us now know that people are talking about it. I didn't see a reason to apologize afterwards because i was speaking with the information i had at the time and it would just be repeating what zasad@ typed.

[Jaered]

This has happened to me before, like 6 months ago. I just copied wallet address from my Metamask transaction history and sent some fantom tokens to it. When I didn’t receive it, I had to double check the wallet address, only to realize it was a fake. Thankfully it wasn't up to $100 worth of tokens

[oliver_g]

It is now very clearly visible that binance is involved in this is scam according, how they behave.

Quote from binance smart chain support:

Hello,

After reviewing the case, we have concluded that this was not due to a vulnerability in BSC.

1. The 0 transfer from your address 0xb410e3d622D1072eE3E1cc6cdc90120E657977F7 to scammer’s address 0x27feaafd9b46b74bee510a0a538615d2ff639871 was not a withdrawal but a call to the token contract’s https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56#writeContract transferFrom function. The transferFrom function does not require the private key of the sender address if the amount is 0.  Anyone can call transferFrom with any address + 0 amount in token contract.

       Note that this function is not specific to BEP20 but to ERC20 tokens as well. If you check this contract from Etherscan (and other token contracts) https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#writeContract, you will be able to find and call the same transferFrom function.

2. What the scammer has managed to achieve was to use the function to his advantage and target users who would copy the scam address from the previous transactions, trick them into thinking that it was a legit address and make a deposit to it.


We have raised this to our security team to check the possibility of tracking this scammer.
We are also thinking of possible solutions on how we can help users from falling victim.

Hi, I understand your frustration. I am actually aware of this case, this is not a vulnerability issue, and it is not an issue with Binance Smart Chain itself. It is the way ERC20 was designed, so it is happening on Ethereum and other EVM compatible blockchains as well. I honestly don't think there is anything we can do about it, it is just like a phishing attack on web2, not a vulnerability with the internet but more like a scammer attack on an open network. I would recommend next time making a transfer, specially a large transfer to verify the destination wallet address.

I just no not believe that it is impossible to fix this vulnerability.
People lost their money and binance do nothing, just wisecrack "you must double check deposit address".
Updated statistiks:
https://dune.com/opang/first-and-last-address-construction