The AirDrop scam: what precautions can be taken?

Security analysts at Slowmist revealed a new type of TransferFrom fraud on the TRON (TRX) network. They mentioned that numerous users noticed that their addresses received the so-called zero transfer, i.e., transactions of zero value. After that they became victims of scammers.

The nature of the attack

According to the users who suffered from the recent break-in of TRON wallets, they received 0 USDT transfers from unknown addresses beforehand. These transactions were displayed in the history of users of the TRON network, and in each case, the TransferFrom function was automatically called.

By clicking on this random transaction overview, the wallet owner initiated a process function that allowed an address starting with TCwd to transfer 0 USDT. All transactions were from the same wallet vault. No single transfer exceeded an amount of $0.001. This reminded the experts at Slowmist of a similar airdrop scam consisting of addresses with the same final numbers.

Thanks to TransferFrom, it is possible to initiate a 0 USDT transfer from any user account, because the token contract function does not require that the approved transfer amount be greater than zero. This condition is used by an attacker to re-run TransferFrom actions for active users and initiate transfer events.

Possible countermeasures

The experts warned: If an investor has discovered a transaction record that does not belong to him, they should be wary of the fact that the wallet has been compromised. When a user tries to change access to their wallet or reload data into it, they could be robbed. If the user's transaction history has been hijacked by an attacker, they risk losing assets by copying one of the previous transfer addresses that may have been swapped.

In this regard, it is worth recalling the statement of Condair analysts, which referred to the inadequate audit of smart contracts, conducted by crypto-startups. Analysts described several blockchain startups that passed smart contract audits before being hacked by hackers. For instance, BadgerDAO suffered more than $120 million stolen by attackers. The criminals were able to gain access to the application site using a compromised API key that had been created without the engineers' knowledge or permission. They then managed to inject malicious javascript code.