WHY THIS MATTERS IN BRIEF
When scammers re-configure crypto and blockchain smart contracts your money is gone forever the instant you transfer it.
2021 saw an all-time high in crypto-related crimes, with scammers getting hold of $14 billion in cryptocurrency. The rise in fraud and scams, as well as Ransomwasre, correlates to the immense growth of activity within cryptocurrencies worldwide.
Recent company announcements and developments have also shown an increased interest in cryptocurrencies. For example, PayPal is considering a launch of its own cryptocurrency, Facebook has rebranded to Meta, and MasterCard announced that partners on its network can enable their consumers to buy, sell and hold cryptocurrency using a digital wallet.
The Future of Cyber Security, by Keynote Matthew Griffin
In addition, Disney wants to build a metaverse, Nike bought an NFT company, Starbucks customers can now use the new Bakkt app to pay for drinks and goods at the chain’s coffee shops with converted Bitcoin.
Funds are flowing towards crypto like water flows downhill, and thus it’s no wonder hackers are targeting cryptocurrencies with researchers like Check Point Research (CPR) saying that hackers are now abusing misconfigurations in smart contracts to launch attacks known as token “rug pulls.”
Rug pulls occur when crypto or virtual asset project developers manipulate a token’s perceived worth and then abandon the project – taking investor funds with them.
A recent example is the SQUID token, which saw the token reach $2,850 in value at its peak. Once the developers’ rug pulled and prevented traders from selling, the coin crashed by over 99.99%, rendering it basically worthless while netting the developers millions of dollars.
Some indicators of a potential token scam include 99% buy fees and mechanisms that prevent investors from reselling. According to the researchers, flaws in smart contract code and vulnerabilities can also be harnessed by external attackers to increase the risk of a project losing investor money.
Fraudsters employ a range of tactics to conduct a rug pull, including the use of scam services to create smart contracts, which are then issued a new token name and symbol before becoming public. The manipulation of functions to create hidden triggers to launch a rug pull may also be included.
Social media networks, as well as deepfakes and hijacked and stolen social media accounts, are then used to hype up a token – and its perceived value – before an exit scam occurs. In addition, time locks are not usually imposed.
“Timelocks are mostly used to delay administrative actions and are generally considered a strong indicator that a project is legitimate,” the researchers noted.
Buy and sell fees are a common technique for rug pulls. In a smart contract examined by CPR, the firm discovered both “Approve” and “Aprove” functions. The former was a legitimate, standard function for contract transactions, whereas the second, “Aprove,” was hidden and designed to allow the developers to impose 99% fees after a project took off.
“A legitimate token will not charge fees or will charge hardcoded values that can’t be adjusted by the developer,” CPR says.
Another example of potential scam mechanisms is a hidden function that allows developers to create more coins or control who can sell tokens. In the source code of a basketball-themed smart contract, the team found a transfer function that prevented reselling by average traders – a similar element used by SQUID.
A function found in a separate contract that allowed an attacker exploited coin minting after the contract’s private key was accidentally leaked online. A threat actor was able to use the key to fraudulently mint millions of virtual coins before withdrawing them. In the same contract, an error in emergency withdrawal functions was also exploited.
Attackers may also burn tokens to ramp up the price of existing pools. A failure to limit external burns in the Zenon Network was exploited in 2021, leading to a pool drain and the theft of over $814,000 from the project.
“It’s hard to ignore the appeal of crypto,” CPR says. “It’s a shiny new thing that promises to change the world, and if prices continue on their upward trajectory, people have an opportunity to win a significant amount of money. However, cryptocurrency is a volatile market. Scammers will always find new ways to steal your money using cryptocurrency.”