New Web3 attack exploits transaction simulations to steal crypto

Threat actors are employing a new tactic called "transaction simulation spoofing" to steal crypto, with one attack successfully stealing 143.45 Ethereum, worth approximately $460,000.

The attack, spotted by ScamSniffer, highlights a flaw in transaction simulation mechanisms used in modern Web3 wallets, meant to safeguard users from fraudulent and malicious transactions.

How the attack works

Transaction simulation is a feature that allows users to preview the expected outcome of a blockchain transaction before signing and executing it.

It is designed to enhance security and transparency by helping users verify what the transaction will do, like the amount of transferred cryptocurrency, gas fees and other transaction costs, and other on-chain data changes.

The attackers lure victims to a malicious website that mimics a legitimate platform, which initiates what is made to appear as a "Claim" function. The transaction simulation shows that the user will receive a small amount in ETH.

However, a time delay between the simulation and the execution allows the attackers to alter the on-chain contract state to change what the transaction will actually do if approved.

The victim, trusting the wallet's transaction simulation result, signs the transaction, allowing the site to drain their wallet of all crypto and send it to the attacker's wallet.

ScamSniffer highlights an actual case where the victim signed the deceptive transaction 30 seconds after the state change, losing all their assets (143.35 ETH) as a result.

"This new attack vector represents a significant evolution in phishing techniques." warns ScamSniffer

"Rather than relying on simple deception, attackers are now exploiting trusted wallet features that users rely on for security. This sophisticated approach makes detection particularly challenging."

The blockchain monitoring platform suggests that Web3 wallets reduce the simulation refresh rates to match blockchain block times, force refresh simulation results before critical operations, and add expiration warnings to warn users about the risk.

From the user's perspective, this new attack shows why wallet simulation shouldn't be trusted.

Cryptocurrency holders should treat "free claim" offers on obscure websites with caution and only trust verified dApps.