New crypto scam drains users' wallets without transaction approval

The attacker used a fake Collab.Land bot to lure users into a phishing site, where they were asked to sign a malicious message.
The attacker used a fake Collab.Land bot to lure users into a phishing site, where they were asked to sign a malicious message.

A new scam circulating on Telegram allows the attacker to drain a victim’s crypto wallet without the victim needing to confirm a transaction, according to user reports and blockchain data.

The scam only works on tokens that comply with the ERC-2612 token standard, which allows for “gas-less” transfers or transfers by a wallet that does not hold Ether (ETH). While the method does not require users to approve a transaction, it appears to require tricking the user into signing a message. 

As more tokens implement the ERC-2612 standard, this particular type of attack may become more prevalent.

Cointelegraph was contacted by a user who said he lost over $600 worth of Open Exchange (OX) tokens after visiting what he thought was the official Telegram group for the token’s developer, OPNX. However, it was a phishing scam.

When he entered the Telegram group, he was asked to press a button to connect his wallet to prove that he is not a bot. This opened a browser window and he connected his wallet to the site, believing that a mere connection did not pose a risk to his funds. However, within a few minutes, all of his OX tokens were drained. The victim claimed that he never approved a single transaction from the page, yet his funds were stolen anyway.

Cointelegraph visited the Telegram group and found that it featured a fake version of the Collab.Land Telegram verification system. The real Collab.Land system sends messages from Telegram channel @collablandbot, spelled with two lowercase “l”s. This fake version sent messages from @colIablandbot, with a capital “I” instead of a second lowercase “l.” In the font that Telegram uses for its usernames, these two letters look extremely similar.

Fake Collab Land bot profile. Source: Telegram.

In addition, the “connect wallet” button on authentic Collab.Land messages sends users to the URL connect.collab.info, which contains no dashes, whereas this fake version sent users to connect-collab.info, with a dash instead of a period.

User interface for malicious app. Source: connect-collab.info.

Related: Scammers are targeting crypto users with new ‘zero value TransferFrom’ trick

According to blockchain data, the attacker drained the funds by calling the “transferFrom” function on the OX token contract. Under normal circumstances, this function can only be called by a third-party if the owner first calls “approve” through a separate transaction and sets a spending limit. Blockchain data shows no evidence that the victim ever made such an approval.

Approximately one hour and 40 minutes before the transfer, the attacker called “Permit” on the OX token contract, setting itself as the “spender” and the victim’s account as the “owner.” They also set a “deadline” or period of time after which the permit would expire and a “value” or amount of tokens that could be transferred. The “value” was set to an arbitrarily large number.

Permit transaction made by attacker. Source: Etherscan.

The Permit function is on lines 116-160 of the token contract's ERC20.sol file. It allows a third-party to authorize tokens to be transferred on behalf of its owner, but only if the owner delivers a signed message giving them authorization.

OX token signing requirement for Permit function, line 154. Source: Etherscan

The setup may explain why the attacker was able to drain the funds without tricking the owner into making a traditional token approval. However, it also implies that the attacker did trick the owner into signing a message. After being confronted with this evidence, the victim reported that he attempted to connect to the site a second time. This time, he noticed that there was an “additional signing dialogue,” which he must have confirmed the first time without realizing it.

The Permit function appears to be a new feature of some token contracts. It is being implemented as part of the ERC-2612 standard, which allows for transactions by wallets that don’t hold ETH. Web3 developer OpenZeppelin describes the function’s purpose in this way:

“[It] can be used to change an account’s ERC20 allowance (see IERC20.allowance) by presenting a message signed by the account. By not relying on IERC20.approve, the token holder account doesn’t need to send a transaction, and thus is not required to hold Ether at all.”

Over time, this feature could allow wallet developers to create user-friendly wallets that only hold stablecoins. However, Cointelegraph’s investigation has revealed that scammers are also using this feature to trick users into giving away their funds. Web3 users should be aware that an attacker can drain their funds even if they don’t make an approval transaction, as long as they sign a message giving the attacker this ability.

Related: Apple yet to remove fake Rabby Wallet app as users report being drained

Cointelegraph contacted the Collab.Land team for comment. Developers confirmed that the bot and website involved in this attack are not associated with the real Collab.Land protocol. After being informed of this imposter, project developers reported the scam to Telegram.