Product
Resources
A new and counter-intuitive “hiding-in-plain-sight” technique, that attackers started to using to execute their hacks successfully.
The web3 space is a dynamic landscape, where advancements in security practices are constantly met with increasingly sophisticated attacks. The usage of private transactions or batching operations is now the standard MO for attackers in the Web3 space.
Here is another example of such an advancement in this cat and mouse game: in the past, attackers often hardcoded the victim contract’s address directly into their attacking code.
This made detection by automated tools a breeze. Today, however, attackers are adopting a more nuanced approach. In this blog post, we want to draw your attention to a new and counter-intuitive “hiding-in-plain-sight” technique, that attackers started to using to execute their hacks successfully.
Let's explore two recent attacks:
These are 2 different attacks, but what they share in common can be found on the respective block explorer pages of their attacking contracts:
Look at the contract tab. Do you see something strange? Both attacking contracts are verified! In both instances, the attackers deployed verified contracts to launch their assaults.
This seemingly counterintuitive move hinges on a critical aspect of security automation – the assumption that a verified contract is less likely to be malicious.
Security experts often build their tools to prioritize transactions involving (and particularly addressed to) unverified contracts.
Similarly, simulation tools designed to catch suspicious transactions might assign a lower risk score to interactions with verified contracts.
So, why would an attacker expose their weapon? The answer lies in the very nature of verification.
One reason might be that verification serves as a badge of legitimacy, a signal that the contract has undergone some level of scrutiny.
By exploiting this paradigm, attackers can manipulate automated security measures.
Transactions directed at a verified contract might fly under the radar of detection tools, granting the attacker a crucial advantage.
Here's a glimpse into possible attacker's strategy:
This playbook, as stated before, lowers the chances of detection by the security monitoring services.
This evolving tactic underscores the need for a multi-faceted security approach:
Protocol owners and builders who want to keep their contracts secure have to do the work and evolve with the threats in the space. As Web3 becomes part of the mainstream, the monetary value stored in it will grow, and with it the attackers motivation and sophistication.
Maor has many years of experience in software development, QA, cyber security and more. Before joining SphereX as an analyst, Maor served 10 years in the Israeli intelligence doing software development, QA, research and leading teams, and 4 years in Kayhut as R&D group leader and product management.