$3M USDC Stolen in Fake Request Finance Scam Explosion

Safe wallet scam through a fake Request Finance contract lost USDC 3.047M. This address poisoning trick is something to learn.

A significant crypto theft emptied a wallet of USDC of 3.047 million. The attack took advantage of a bogus Request Finance contract, which defrauded the multi-signature security of the wallet. 

The scheme is an update of the old-fashioned fraud of address poisoning that is quickly gaining momentum.

The victim had a 2-of-4 Safe multi-sig wallet that was in control of the victim. The hacker used a batch transaction request to hack into the Request Finance app interface. 

This was an evil contract address very like the original, except that it started and finished with the same characters.

Source – X 

This attack on X (formerly Twitter) was disclosed by security researcher @realScamSniffer. They described the way the evil contract 0x3Cf6e5…c03F was a sneak preview of the legit 0x3cF638…C03f address. 

The two addresses seem almost the same, which makes users accept the scam without realizing it. The scammer registered the fake contract in Etherscan, which increased credibility.

Deceptive Contract Mimicry Sparks New Scam Wave

This type of attack is through minor errors made by users who give approvals on contracts. The fraudsters target them with almost the same addresses. 

The majority of crypto wallets display the initial few and final characters of the addresses of the contracts. This is used by the attackers to mislead the users that the contract is authentic.

The interface of the Request Finance app gives the attacker a chance to package malicious commands into batch transactions. 

These consignments have enabled fraudsters to loot money after the permission to undertake the contract has been given. This approach circumvents several wallet holders in case one of them gives in without any scrutiny.

The fake contract quickly transferred more than 3 million USDC as confirmed by the researchers in their Safe wallet transaction history. 

The scam points out the new weaknesses in multi-signature wallets that are linked to DeFi apps.

How Users Can Defend Against Address Poisoning Scams

Experts on the account of @zachxbt and @evilcos on X recommend extra care in signing contracts. Before giving permissions, users need to make sure that they enter the entire contract address accurately.

Do not use only partial address views or glimpse checks on Etherscan. Rather, verify the authenticity of cross-check contracts through numerous independent sources.  Always reject batch transactions unless everybody who will sign the wallet is present.

Approvals by hardware wallet and allowing transaction notifications can take additional security measures. Address poisoning scam should be publicized more since the deceptive strategy is on the rise.

Users of safe wallets must check permissions on a regular basis and cancel any suspicious approvals of the contract.

This theft of 3.047 million US dollars is an indication that address poisoning fraud is on the increase.  The increasing interconnectivity of DeFi apps and wallets requires a stronger verification behavior among users.