As DeFi continues to grow in popularity and prominence, hackers around the world are uncovering new vulnerabilities and developing new methods to attack organizations.
Today, one of the most prominent categories of DeFi hacking is social engineering attacks. Social engineering refers to a method of manipulating people into revealing information or taking actions that can compromise the security and privacy of systems and networks, such as DeFi wallets. Social engineering attacks accounted for 70-90% of all malicious data breaches in 2023 (Avast Threat Labs).
Social engineering attacks are prominent in DeFi right now for a number of reasons. Launching this sort of attack can be relatively easy and cheap for hackers when compared to other types of hack. It relies on human error rather than vulnerabilities in software or systems, so anyone can be a potential target. In addition, the potential impact can be huge, with millions of dollars on the line.
In DeFi, the signing process is a clear point of vulnerability for social engineering attacks. In this blog, we’ll guide you through a few tips for ensuring that you don’t fall victim to a DeFi signing scheme.
Risks that may arise during the signing process
Hackers look to socially engineer victims into signing away their funds using various tools and methods, such as crypto drainers – phishing tools designed to masquerade as Web3 projects, enticing victims into connecting their crypto wallets to the drainer. Drainers are built to literally drain your wallet, but because of how blockchain technology works, hackers will always need your signature to take control of your funds.
Drainers employ asset-specific methods for taking away your funds; in all cases, the drainer social engineers victims into signing a maliciously crafted transaction. Here are some of the most common signature requests threat actors use to trick victims into signing transactions on their behalf:
Transfer transactions
With base assets such as ETH, expect to receive a signature request for a transfer transaction directly to the attacker’s wallet address. This is the most basic way threat actors deploy to get any asset from a victim.
Token approval
Token approval/allowance has legitimate use cases and is required for highly popular dApps like UniSwap to function. They optimize a user’s gas usage with frequently visited dApps. However, the same mechanism is abused by attackers to gain control over victims’ funds.
In a token approval attack scenario, the drainer will request victims to sign a call to an “Approve” method of ERC20/ERC721 tokens. Once you sign it, you are giving the attacker permission to withdraw all your assets.
Once the transaction is approved, the attacker no longer requires any further interaction with you in order to drain these funds as they will have full control, even without access to your private key.
Contract calls signing
Contract calls are a staple of DeFi and on-chain trading. These can include swapping, liquid staking, and other smart contract interactions.
Often, engaging with smart contracts can seem like executing a program that someone else developed – you don’t exactly know what it does, and you rely on the user interface (in this case the dApp), to communicate intent. Attackers leverage this and combine malicious smart contracts with abuse of well-known, legitimate smart contracts.
One method attackers often use is to abuse swap contracts and use them as transfers. When swapping, the expectation is that you will send funds to the swap contract and get back equally valuable tokens, minus fees. Attackers set up fake swapping interfaces and abuse known swap contracts, while sending different RECEIVER parameters to the swap method, making themselves the recipient of the swapped tokens.
Typed message signing
Off-chain/typed messages refer to when you sign a text message and hand it over to the dApp, usually over WalletConnect. The purpose of this is to expand the usage of wallets within Web3 beyond transactions (e.g. for sign-in, or accepting terms & conditions); it also optimizes gas usage by signing meta-transactions and authorizations off-chain, and enabling the dApp to submit a transaction on-chain.
In some cases, a typed message signing request can be a social engineering attack that gives attackers control over your funds. For example, Permit/PermitBatch are a kind of typed message that controls token allowances. One signed message can enable control over multiple assets. This is one of the main vectors attackers use if they’re able to, as it can generate the maximum profit for them.
Protecting from DeFi signing attacks with Fireblocks
Here are some tips for using Fireblocks to defend your business from DeFi signing attacks:
- Follow the instructions in Fireblocks security alerts. This is the first layer of protection from malicious dApps.
- Leverage and inspect data provided by Fireblocks’ Transaction Simulation to understand the impact of a transaction.
- Use address whitelisting and due diligence processes when adding a new whitelisted address.
- Not all traders or operators are equally trained, knowledgeable, or trustworthy – enlist more senior personnel for high-risk operations like typed messages.
- Make sure your organizational policies are set up according to TAP best practices (following first-match, top rules=stricter rules).
- If you are the approver, inspect the authorization screen (on mobile) closely and make sure all details make sense.