It is now very clearly visible that binance is involved in this is scam according, how they behave.
Quote from binance smart chain support:
Hello,
After reviewing the case, we have concluded that this was not due to a vulnerability in BSC.
1. The 0 transfer from your address 0xb410e3d622D1072eE3E1cc6cdc90120E657977F7 to scammer’s address 0x27feaafd9b46b74bee510a0a538615d2ff639871 was not a withdrawal but a call to the token contract’s
https://bscscan.com/token/0xe9e7cea3dedca5984780bafc599bd69add087d56#writeContract transferFrom function. The transferFrom function does not require the private key of the sender address if the amount is 0. Anyone can call transferFrom with any address + 0 amount in token contract.
Note that this function is not specific to BEP20 but to ERC20 tokens as well. If you check this contract from Etherscan (and other token contracts)
https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7#writeContract, you will be able to find and call the same transferFrom function.
2. What the scammer has managed to achieve was to use the function to his advantage and target users who would copy the scam address from the previous transactions, trick them into thinking that it was a legit address and make a deposit to it.
We have raised this to our security team to check the possibility of tracking this scammer.
We are also thinking of possible solutions on how we can help users from falling victim.
Hi, I understand your frustration. I am actually aware of this case, this is not a vulnerability issue, and it is not an issue with Binance Smart Chain itself. It is the way ERC20 was designed, so it is happening on Ethereum and other EVM compatible blockchains as well. I honestly don't think there is anything we can do about it, it is just like a phishing attack on web2, not a vulnerability with the internet but more like a scammer attack on an open network. I would recommend next time making a transfer, specially a large transfer to verify the destination wallet address.
I just no not believe that it is impossible to fix this vulnerability.
People lost their money and binance do nothing, just wisecrack "you must double check deposit address".
Updated statistiks:
https://dune.com/opang/first-and-last-address-construction