Mitigating Gas Abuse Exploits: New Detection Features and Flags from GoPlus Security
Unraveling the Intricate Gas Abuse Exploit
In the last two weeks, a sophisticated exploit has emerged in the web3 space. Certain malicious actors are deploying counterfeit ERC-20 tokens and manipulating smart contract functions to deceive users into conducting transactions that consume excessive gas.
Particularly in the wake of the recent Multichain (multichain.org) events, the offenders forge authorizations to convince users to revoke approvals or execute similar transactions that consume excessive gas. These actions, unbeknownst to the users, trigger the minting of $CHI tokens at the users’ expense, leading to financial loss. The intel the GoPlus Security team has gathered and collated on one particular incident is as follows:
- Multichain faced issues; users urged to revoke relevant token approvals by third-party platforms such as Revoke.cash, Rabby Wallet, and others.
- Security tools developed to check these approvals are automated and alerts are triggered automatically if risk items emerge.
- Attackers on BSC deployed a phishing ERC-20 token and altered its
approve()method. - Attackers then sent out approvals for this token en masse to many users, triggering revocation alerts.
- Users unwittingly revoked approvals for said token after seeing the alerts. The altered
approve()method consumes a lot of gas and mint $CHI tokens for the attackers.
- Number of victims is expected to increase over time.
- Project teams are being urged to perform gas checks when triggering
approve(), issue alerts, or reject transactions with excessive gas limits.
A Chinese-language Twitter thread detailing how the exploit works in practice can be found here.
The GoPlus Security team has been diligently monitoring these developments. Recognizing the potential damage such exploits could inflict on the integrity of web3 interactions, resources have been mobilized to develop a robust response to this challenge.
Feature Update: Mitigating Gas Abuse
Aiming to uphold a secure and trustworthy environment for users, GoPlus Security has introduced a new feature that employs behavioral analysis to detect and flag tokens associated with gas abuse.
Here’s a detailed look at this feature across different APIs:
Token Security API: is_honeypot
First of all, tokens designed to deceive users for gas mining (e.g., the above example with $CHI minting) will now be flagged as ‘is_honeypot’ in the token_security API.
Here is an example query response from GoPlus Security’s token_security API for such a token. Note the “is_honeypot” variable returned.
{
"code": 1,
"message": "OK",
"result": {
"0x8acc347187b7ed5d7db3d86477fb2f1c1b70210d": {
"buy_tax": "",
"cannot_buy": "0",
"creator_address": "0xe8e0960da069c336852246a5bedf18ad05ea25e7",
"creator_balance": "50000",
"creator_percent": "0.000107",
"gas_abuse": "1",
"holder_count": "2",
"holders": [
{
"address": "0x8a3c8c441cc7bff0a56910e4c19df0b2697518d4",
"tag": "",
"is_contract": 0,
"balance": "60000",
"percent": "0.000127931769763757",
"is_locked": 0
},
{
"address": "0x2e8639a382096e83f3df80e0e8b63d0e768fc870",
"tag": "",
"is_contract": 0,
"balance": "40000",
"percent": "0.000085287846509171",
"is_locked": 0
}
],
"honeypot_with_same_creator": "1",
"is_honeypot": "1",
"is_in_dex": "0",
"is_open_source": "1",
"is_proxy": "1",
"owner_address": "",
"sell_tax": "",
"token_name": "USD Coin",
"token_symbol": "USDC",
"total_supply": "468999999.849904027446539542"
}
}
}Address Security API: honeypot_related_address
Secondly, in GoPlus Security’s address_security API, any such token and its creator will be marked as a ‘honeypot_related_address’, signifying potential risks tied to these addresses.
See below for an example JSON response from address_security.
{
"code": 1,
"message": "ok",
"result": {
"cybercrime": "0",
"money_laundering": "0",
"number_of_malicious_contracts_created": "0",
"financial_crime": "0",
"darkweb_transactions": "0",
"phishing_activities": "0",
"fake_kyc": "0",
"blacklist_doubt": "0",
"data_source": "GoPlus",
"stealing_attack": "0",
"blackmail_activities": "0",
"sanctioned": "0",
"malicious_mining_activities": "0",
"mixer": "0",
"honeypot_related_address": "1"
}
}Approval Security API: doubt_list, malicious_behavior, and honeypot_related_address
As for the approval_security API, these malicious tokens and their creators will be flagged under the ‘doubt_list’ variable, with ‘honeypot_related_address’ added to their ‘malicious_behavior’ arrays.
Here is a sample query response returned from approval_security on a suspect token.
{
"code": 1,
"message": "ok",
"result": {
"contract_name": "TransparentUpgradeableProxy",
"tag": null,
"is_contract": 1,
"creator_address": "0xe8e0960da069c336852246a5bedf18ad05ea25e7",
"deployed_time": 1688812687,
"is_open_source": 1,
"is_proxy": 1,
"trust_list": 0,
"doubt_list": 1,
"malicious_behavior": [
"honeypot_related_address"
]
}
}Token Approval Security API: malicious_address, malicious_behavior, and honeypot_related_address
In the token_approval_security API, token suspected of malicious gas token mining and the token creator address will be flagged as ‘malicious_address’, with ‘malicious_behavior’ labeled as ‘honeypot_related_address’.
Looking Ahead: Ongoing Enhancements and User Empowerment
Plans are underway for further refining services like address_security, approval_security, and token_approval_security for more comprehensive gas abuse detection. Involving the community in shaping services, possibly through a voting mechanism on new features, is being considered.
GoPlus Security is more than a reactive measure; it’s a proactive shield that anticipates and prepares for potential threats. By continually monitoring the evolving landscape, it’s possible to build safeguards that address emerging challenges head-on and provide users with the knowledge they need to navigate the web3 ecosystem securely.
Developers are encouraged to integrate these features into their applications. With collaborative efforts, a #SaferWeb3 is rapidly becoming reality.
Learn more about GoPlus Security and be a part of the #SaferWeb3 journey.
- Official Website: gopluslabs.io
- API Documentation: docs.gopluslabs.io
- Security Service Center (Beta): gopluseco.io
- Twitter: twitter.com/GoPlusSecurity
- Medium Blog: goplussecurity.medium.com
