Web3 Threats to Your Crypto

The private key that corresponds to the user’s wallet address controls the transfer of value on the public ledger, be it in the form of tokens or native cryptocurrency. To capture this value, a potential attacker has a number of options:

• Theft of private keys: With the knowledge of the private key, the attacker can send a transaction for every token and native currency associated with the address, transferring the assets to the attacker's own address. Any staked tokens in third party systems can be withdrawn and transferred to the attacker’s address. There are numerous examples of this in the wild: fraudsters often pose as customer support convincing users to install a fake wallet software that captures and shares the user’s passphrase with the attacker.

• Obtaining user’s authorization: Through social engineering and confusing Web3 wallet user experiences, the attacker convinces the user to sign a transaction that can be crafted to:

  • Transfer tokens to the malicious dApp attacker’s address;

  • Grant unlimited allowance to the attacker’s address for a target ERC20 token – funds are drained from the wallet to the attacker’s address through a secondary transaction; A recent comprehensive study of abuse of unlimited ERC20 approvals, presents a representative sampling of recent exploits that fall into this category. This includes direct attack vectors (user transacting with a malicious dApp) as well as indirect, where third-party contracts are vulnerable.

  • Transaction Fees manipulation for a smart contract under attacker’s control.

• Compromise of 3rd Party Smart Contracts: Exploit smart contract vulnerabilities and then drain user assets that temporarily reside under the contract address ownership (there are numerous examples of bridge hacks that fall into this category).