Report on USDT Phishing on Polygon network:
The attacker's strategy was based on obtaining approval for a contract address that hadn't been deployed yet.
Here's a step-by-step breakdown:
1- The attacker used a phishing technique to gain approval on the Tether (USDT) token.
2- They then invoked the Factory Contract to deploy a contract on the approved address.
3- Finally, they executed a function from the newly deployed child contract to transfer the USDT tokens.
The attacker utilized a vanity address for the External Owned Account (EOA) and the Contract to decrease gas costs. However, they transferred the stolen assets to a non-vanity address to avoid the risks associated with vanity addresses.
The core concept behind this attack was the use of Create2 and the ability to predict a contract address, thereby luring the user into granting approval on a contract that hasn't been deployed yet.
Users indeed have the option to verify the address they're planning to grant approval to on a blockchain explorer.
No legitimate decentralized finance (DeFi) application should ever ask you to give approval to an External Owned Account (EOA).
As a regular user, you should NEVER grant approval to unverified contracts. Always ensure that the contract you're interacting with is verified and trustworthy.
#dapp
#phising
The attacker's strategy was based on obtaining approval for a contract address that hadn't been deployed yet.
Here's a step-by-step breakdown:
1- The attacker used a phishing technique to gain approval on the Tether (USDT) token.
2- They then invoked the Factory Contract to deploy a contract on the approved address.
3- Finally, they executed a function from the newly deployed child contract to transfer the USDT tokens.
The attacker utilized a vanity address for the External Owned Account (EOA) and the Contract to decrease gas costs. However, they transferred the stolen assets to a non-vanity address to avoid the risks associated with vanity addresses.
The core concept behind this attack was the use of Create2 and the ability to predict a contract address, thereby luring the user into granting approval on a contract that hasn't been deployed yet.
Users indeed have the option to verify the address they're planning to grant approval to on a blockchain explorer.
No legitimate decentralized finance (DeFi) application should ever ask you to give approval to an External Owned Account (EOA).
As a regular user, you should NEVER grant approval to unverified contracts. Always ensure that the contract you're interacting with is verified and trustworthy.
#dapp
#phising
π3
Hamid list
Report on USDT Phishing on Polygon network: The attacker's strategy was based on obtaining approval for a contract address that hadn't been deployed yet. Here's a step-by-step breakdown: 1- The attacker used a phishing technique to gain approval on theβ¦
During This Investigation for a friend i saw weird approach on the polygon for charging user for the gas cost
https://polygonscan.com/address/0x0000000000000000000000000000000000001010#code
every polygon transaction contain event from this contract, because the polygon has pre-deployed contract on this address for Matic Token and in every transaction people pay their fee buy using the token transfer in polygon
but this contract is pre-deployed contract and transferring through it doesn't make extra charge on the fee.
they call it MRC20 standard
https://www.reddit.com/r/0xPolygon/comments/sfx4o2/matic_as_a_mrc20_token_versus_just_matic_on_the/
https://polygonscan.com/address/0x0000000000000000000000000000000000001010#code
every polygon transaction contain event from this contract, because the polygon has pre-deployed contract on this address for Matic Token and in every transaction people pay their fee buy using the token transfer in polygon
feeTransfer but this contract is pre-deployed contract and transferring through it doesn't make extra charge on the fee.
they call it MRC20 standard
https://www.reddit.com/r/0xPolygon/comments/sfx4o2/matic_as_a_mrc20_token_versus_just_matic_on_the/
π3
https://github.com/opentimestamps/opentimestamps-server/blob/master/doc/merkle-mountain-range.md
Merkle Mountain Ranges
Merkle Mountain Ranges
GitHub
opentimestamps-server/doc/merkle-mountain-range.md at master Β· opentimestamps/opentimestamps-server
OpenTimestamps Calendar Server. Contribute to opentimestamps/opentimestamps-server development by creating an account on GitHub.
π2
Hamid list
Imagine we have a custom factory contract. This contract has a method that takes a salt as input and deploys a contract using create2. The logic of the deployed contract includes a self-destruct method. Now, the question is: Can we deploy a contract withβ¦
Ethereum Stack Exchange
Is it possible to deploy a contract on the same address after self-destruct?
As far as I understand self-destruct simply deletes the code from a contract and turns it into a regular wallet + it sends all funds to caller/argument. But is there a way to recreate the contract? I
π2
Forwarded from Joris Koopman
HackMD
Aztec - HackMD
Best way to write and share your knowledge in markdown.
π2π₯1
Forwarded from deepcode.eth β’ Roman P
ABDul Rehman TradMod
CreateX? Whats that?
GitHub
GitHub - pcaversaccio/createx: Factory smart contract to make easier and safer usage of the `CREATE` and `CREATE2` EVM opcodesβ¦
Factory smart contract to make easier and safer usage of the `CREATE` and `CREATE2` EVM opcodes as well as of `CREATE3`-based (i.e. without an initcode factor) contract creations. - pcaversaccio/cr...
π2
Labs Community Call (session 7)
Topics:
1- Create3 Opcode ( EIP review)
2- Auth Call ( EIP review)
3- Zk email (Project Review/ Code review)
4- Lookup tables in ZKP proving systems
(Is it hard to discuss all topics in 1 hour but we try our best π )
Time & Link:
Nobitex labs community call
Tuesday, December 5 Β· 5:00 β 6:00pm
Time zone: Asia/Tehran
Google Meet joining info
Video call link: https://meet.google.com/pka-urvn-ynd
Topics:
1- Create3 Opcode ( EIP review)
2- Auth Call ( EIP review)
3- Zk email (Project Review/ Code review)
4- Lookup tables in ZKP proving systems
(Is it hard to discuss all topics in 1 hour but we try our best π )
Time & Link:
Nobitex labs community call
Tuesday, December 5 Β· 5:00 β 6:00pm
Time zone: Asia/Tehran
Google Meet joining info
Video call link: https://meet.google.com/pka-urvn-ynd
Google
Real-time meetings by Google. Using your browser, share your video, desktop, and presentations with teammates and customers.
π1
Hamid list
Labs Community Call (session 7) Topics: 1- Create3 Opcode ( EIP review) 2- Auth Call ( EIP review) 3- Zk email (Project Review/ Code review) 4- Lookup tables in ZKP proving systems (Is it hard to discuss all topics in 1 hour but we try our best π ) Timeβ¦
Links That Related To today discussed topics
Transit Storage EIP
> https://eips.ethereum.org/EIPS/eip-1153
Transit Storage Compatible Token Standard
> https://github.com/ethereum/ERCs/pull/81/files
Authcall and Auth Opcode
> https://eips.ethereum.org/EIPS/eip-3074
RSA Accumulators
> https://ethresear.ch/t/rsa-accumulators-for-plasma-cash-history-reduction/3739
Liquid a Bitcoin Side Chain Technology:
> Homomorphic Related Confidential transaction
> https://crypto.stackexchange.com/questions/64437/what-is-a-pedersen-commitment
>
> https://mareknarozniak.com/2021/06/22/ct/
>
> https://blog.liquid.net/guide-to-confidential-transactions/
>
> https://github.com/ElementsProject/elements
Transit Storage EIP
> https://eips.ethereum.org/EIPS/eip-1153
Transit Storage Compatible Token Standard
> https://github.com/ethereum/ERCs/pull/81/files
Authcall and Auth Opcode
> https://eips.ethereum.org/EIPS/eip-3074
RSA Accumulators
> https://ethresear.ch/t/rsa-accumulators-for-plasma-cash-history-reduction/3739
Liquid a Bitcoin Side Chain Technology:
> Homomorphic Related Confidential transaction
> https://crypto.stackexchange.com/questions/64437/what-is-a-pedersen-commitment
>
> https://mareknarozniak.com/2021/06/22/ct/
>
> https://blog.liquid.net/guide-to-confidential-transactions/
>
> https://github.com/ElementsProject/elements
Ethereum Improvement Proposals
EIP-1153: Transient storage opcodes
Add opcodes for manipulating state that behaves almost identically to storage but is discarded after every transaction
β€5π₯1