Sniper Fishing: Understand the Four Major Risk Transaction Interception Features of OKX Web3 Wallet in One Article

Scam Sniffer's mid-2024 phishing report indicates that in just the first half of 2024, 260,000 victims on EVM chains lost $314 million, with 20 individuals losing over $1 million each. Tragically, one victim lost $11 million, becoming the second-largest theft victim in history.

According to the report's summary, most thefts of ERC20 tokens currently stem from signing phishing signatures, such as Permit, IncreaseAllowance, and Uniswap Permit2. Most large thefts involve Staking, Restaking, Aave collateral, and Pendle tokens. Victims are often directed to phishing websites through phishing comments from fake Twitter accounts.

Phishing attacks are undoubtedly still a major disaster zone for on-chain security issues.

As an entry-level product catering to user trading needs, the OKX Web3 wallet focuses on enhancing security measures and user education. Recently, the team has upgraded the risk transaction interception feature primarily around high-frequency phishing scenarios and stated that they will continue to add more risk scenarios for user alerts in the future.

This article aims to clarify the applicable scenarios for the four major risk transaction interception features of the OKX Web3 wallet's latest upgrade, while also educating on the operational principles of some theft cases, hoping to be of help to you.

1. Malicious Authorization to EOA Accounts

On June 26, a user lost $217,000 by signing multiple phishing signatures on a fake Blast phishing site; on July 3, ZachXBT reported that address 0xD7b2 had become a victim of Fake_Phishing 187019, resulting in the loss of 6 BAYC NFTs and 40 Beans (worth over $1 million); on July 24, a Pendle user lost approximately $4.69 million in PENDLEPT re-staked tokens due to multiple Permit phishing signatures just an hour prior.

In the past two months, numerous incidents and significant amounts of loss due to various signature phishing attacks have occurred, making this a critical scene for frequent security issues. The vast majority of these scenarios involve inducing users to authorize hackers' EOA accounts.

Malicious authorization to EOA accounts generally refers to hackers inducing users to authorize through various welfare activities, thereby signing to authorize their user address to an EOA address.

EOA stands for Externally Owned Accounts, which is a type of account on Ethereum-based blockchain networks, distinct from contract accounts. EOA is owned by users and is not controlled by smart contracts. Users typically authorize project smart contract accounts rather than personal EOA accounts when surfing on-chain.

Currently, there are three common authorization methods: Approve, which is a common authorization method in the ERC-20 token standard. It allows third parties (such as smart contracts) to spend a certain amount of tokens on behalf of the token holder. Users need to pre-authorize a certain amount of tokens for a smart contract, after which the contract can call the transferFrom function at any time to transfer these tokens. If users inadvertently authorize a malicious contract, these authorized tokens may be transferred immediately. Notably, traces of Approve authorization can be seen in the victim's wallet address.

Permit is an extended authorization method introduced based on the ERC-20 standard, allowing third parties to spend tokens through message signatures rather than directly calling smart contracts. In simple terms, users can approve others to transfer their tokens through signatures. Hackers can exploit this method for attacks; for example, they can create a phishing site that replaces the wallet login button with Permit, easily obtaining users' signatures.

Permit2 is not a standard feature of ERC-20 but a feature introduced by Uniswap for user convenience. This feature allows Uniswap users to pay gas fees only once during use. However, it is important to note that if you have previously used Uniswap and authorized the contract with unlimited limits, you may become a target for Permit2 phishing attacks.

Permit and Permit2 are offline signature methods, meaning the victim's wallet address does not need to pay gas fees, and the phishing wallet address will provide authorization for on-chain operations. Therefore, traces of these two types of signatures can only be seen in the phishing wallet address. Currently, Permit and Permit2 signature phishing has become a major disaster zone in the Web3 asset security field.

How does the OKX Web3 wallet interception feature work in this scenario?

The OKX Web3 wallet will perform pre-analysis on pending transactions. If the analysis reveals that the transaction is an authorization action and the authorized address is an EOA address, it will alert the user to prevent phishing attacks and asset loss.

2. Malicious Change of Account Owner

Events of maliciously changing account owners typically occur on public chains like TRON and Solana, which have account owner designs in their underlying mechanisms. Once a user signs, they lose control over their account.

Taking the TRON wallet as an example, TRON's multi-signature permission system has three different permissions: Owner, Witness, and Active, each with specific functions and uses.

Owner permission has the highest authority to execute all contracts and operations; only those with this permission can modify other permissions, including adding or removing other signers; after creating a new account, it defaults to the account itself having this permission.

Witness permission is mainly related to Super Representatives, and accounts with this permission can participate in the election and voting of Super Representatives, managing operations related to them.

Active permission is used for daily operations, such as transfers and calling smart contracts. This permission can be set and modified by Owner permission and is commonly used to allocate to accounts that need to perform specific tasks; it is a collection of several authorized operations (such as TRX transfers and staking assets).

One scenario is when hackers obtain a user's private key/mnemonic phrase. If the user does not use a multi-signature mechanism (i.e., the wallet account is solely controlled by the user), hackers can authorize Owner/Active permissions to their own address or transfer the user's Owner/Active permissions to themselves. This operation is commonly referred to as malicious multi-signing.

If the user's Owner/Active permissions have not been removed, hackers co-manage account ownership with the user using the multi-signature mechanism. At this point, the user holds the private key/mnemonic phrase and has Owner/Active permissions but cannot transfer their assets. When the user initiates an asset transfer request, both the user and hacker's addresses need to sign for the transaction to execute normally.

Another scenario is when hackers exploit TRON's permission management design mechanism to directly transfer the user's Owner/Active permissions to the hacker's address, causing the user to lose Owner/Active permissions.

The result of these two scenarios is the same: regardless of whether the user still has Owner/Active permissions, they will lose actual control over the account, and the hacker's address will gain the highest permissions, allowing them to change account permissions, transfer assets, and more.

How does the OKX Web3 wallet interception feature work in this scenario?

The OKX Web3 wallet performs pre-analysis on pending transactions. If the analysis reveals that the transaction involves changing account permissions, it will directly intercept the transaction for the user, preventing further signing and asset loss at the source.

Due to the high risk involved, the OKX Web3 wallet currently directly intercepts these transactions, preventing users from proceeding with further transactions.

3. Malicious Change of Transfer Address

The risk transaction scenario of maliciously changing transfer addresses mainly occurs when DApp contracts are poorly designed.

On March 5, @CyversAlerts detected that an address starting with 0xae7ab received 4 stETH from EigenLayer, with a contract value of $14,199.57, suspected to have encountered a phishing attack. They also pointed out that several victims had signed "queueWithdrawal" phishing transactions on the mainnet.

Angel Drainer targeted the nature of Ethereum staking, where the approval of transactions differs from the conventional ERC20 "approve" method, specifically exploiting the queueWithdrawal (0xf123991e) function of the EigenLayer Strategy Manager contract. The core of the attack is that users signing the "queueWithdrawal" transaction effectively approve a malicious "drainer" to withdraw their staking rewards from the EigenLayer protocol to an address chosen by the attacker. In simple terms, once you approve the transaction on the phishing webpage, your staking rewards in EigenLayer will belong to the attacker.

To make detecting malicious attacks more difficult, attackers use the "CREATE2" mechanism to approve these withdrawals to empty addresses. Since this is a new approval method, most security providers or internal security tools do not parse and verify this type of approval, so in most cases, it is marked as a benign transaction.

Not only this case, but this year, some mainstream public chain ecosystems have also seen issues where poorly designed contract vulnerabilities have led to users' transfer addresses being maliciously changed, resulting in financial losses.

How does the OKX Web3 wallet interception feature work in this scenario?

For phishing attack scenarios targeting EigenLayer, the OKX Web3 wallet will analyze transactions related to "queueWithdrawal." If it detects that the user is trading on a non-official website and withdrawing to a non-user address, it will warn the user and force them to confirm further, preventing phishing attacks.

4. Transfers to Similar Addresses

The attack method of transferring to similar addresses deceives victims into using fake addresses that are very similar to their real addresses, causing funds to be transferred to the attacker's account. These attacks often involve complex obfuscation and concealment techniques, with attackers using multiple wallets and cross-chain transfers to increase tracking difficulty.

On May 3, a whale fell victim to a phishing attack involving addresses with the same starting and ending digits, losing 1,155 WBTC, valued at approximately $70 million.

The logic of this attack mainly involves hackers pre-generating a large number of phishing addresses in bulk. After deploying the bulk program, they initiate phishing attacks on target transfer addresses based on on-chain user dynamics. In this incident, hackers used addresses that matched the first four and last six digits of the victim's target transfer address after removing "0x." After the user made a transfer, the hacker immediately followed up with a transaction using the generated phishing address (approximately three minutes later), sending 0 ETH from the phishing address to the user's address, thus making the phishing address appear in the user's transaction history.

Since users typically copy recent transfer information from their wallet history, upon seeing this follow-up phishing transaction, they did not carefully check whether the copied address was correct, resulting in mistakenly transferring 1,155 WBTC to the phishing address.

How does the OKX Web3 wallet interception feature work in this scenario?

The OKX Web3 wallet continuously monitors on-chain transactions. If it detects that shortly after a large transaction occurs, a suspicious transaction that was not initiated by the user occurs, and the interacting parties of the suspicious transaction are extremely similar to those of the large transaction, it will classify the suspicious transaction's interacting party as a similar address.

If the user subsequently interacts with a similar address, the OKX Web3 wallet will issue an interception alert; simultaneously, transactions related to similar addresses will be directly marked on the transaction history page to prevent users from being induced to paste, resulting in asset loss. (Currently supports 8 chains)

Conclusion

In summary, in the first half of 2024, security incidents such as airdrop phishing emails and official project accounts being hacked remain frequent. While users enjoy the benefits brought by these airdrops and activities, they also face unprecedented security risks. Hackers use methods such as disguising as official phishing emails and fake addresses to lure users into revealing private keys or making malicious transfers. Additionally, some official project accounts have also been attacked by hackers, leading to user financial losses. For ordinary users, in such an environment, the most important thing is to enhance awareness of prevention and deeply learn security knowledge. At the same time, it is advisable to choose platforms with reliable risk control.

Risk Warning and Disclaimer

This article is for reference only. The views expressed in this article are solely those of the author and do not represent the position of OKX. This article does not intend to provide (i) investment advice or recommendations; (ii) offers or solicitations to buy, sell, or hold digital assets; (iii) financial, accounting, legal, or tax advice. We do not guarantee the accuracy, completeness, or usefulness of such information. Holding digital assets (including stablecoins and NFTs) involves high risks and may fluctuate significantly. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. Please consult your legal/tax/investment professionals regarding your specific circumstances. You are responsible for understanding and complying with applicable local laws and regulations.