Crypto Scam Fixed by Revoke After Clients Entrapped

Updated: 10 July 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

A crypto scam was countered by approval management platform Revoke after scammers tried to lure users into revoking fake approvals, and then hitting them with exorbitant transaction fees.

Crypto Scam Countered by New Features

Yesterday, we received reports of people seeing unknown approval transactions in their transaction history.

It turns out that this is a new scam where scammers use so-called gas tokens to steal money when victims revoke these "fake approvals". pic.twitter.com/vpY2sGIv0T

— Revoke.cash (@RevokeCash) July 9, 2023

On July 9, Revoke.cash announced that it had received reports of users encountering unfamiliar approvals in their transaction histories. It said it combated the scam by adding a check that disabled revoking approvals if there’s an excessive gas fee.

The concept of gas tokens emerged several years ago when Ethereum started experiencing a surge in gas fees. These tokens took advantage of a feature within the Ethereum Virtual Machine (EVM) that allowed for gas refunds during the storage clearing.

As a result, users could generate gas tokens during periods of low fees and utilize them during high-fee periods, essentially securing the lower fee rate. However, with the implementation of EIP-3529 in 2021, this unintended consequence of storage gas refunds became impractical and was no longer applicable.

Nonetheless, some EVM-based blockchain networks, like BNB Chain, still maintain the concept of gas tokens, which scammers exploit. These scammers create fraudulent tokens, distribute them through airdrops, and fabricate token approvals, tricking unsuspecting users into believing they need to revoke these approvals.

The scammers have cleverly programmed these counterfeit tokens to generate a significant number of gas tokens during a revocation transaction.

As a result, these gas tokens are transferred to the scammers, who can then sell them.

This situation raises concerns because users’ wallet interfaces fail to indicate that funds are being transferred – they only display a high fee, which can potentially mislead users.

How the Crypto Scam Worked

Twitter user 0xblanker detected the scam and provided additional information regarding the gas token vulnerability that the scammer took advantage of.

0xblanker is a partner at y2z Ventures, a long-term venture mainly focused on the metaverse and Web 3.0.

According to him, over the past few days, there has been a transfer of funds for MultichainOrg, a cross-Chain Router Protocol.

In the past couple of days, @MultichainOrg's fund was moved, and official sources and various security tools like @RevokeCash and @Rabby_io have been urging users to revoke their approvals for Multichain. And devs created useful tools to check users' approvals for Multichain.

— blanker.eth 🦇🔊 (@0xblanker) July 8, 2023

In response, official sources and security tools like RevokeCash and Rabby_io have advised users to revoke their approvals for Multichain.

Developers have also created helpful tools to assist users in checking their approvals for Multichain.

Taking advantage of the situation, a scammer has used it to advertise and released a fake ERC-20 token on the BNB CHAIN.

The scammer manipulated the ‘approve()’ method and manually forged approvals for multiple addresses on the chain.

Consequently, Revoke Cash, Rabby, and other tools have been reminding users to revoke their approvals.

However, the ‘approve()’ function in this ERC-20 contract has been tampered with and consumes a significant amount of gas.

This unintentionally causes users to mint $CHI tokens (commonly known as gas tokens because destroying them refunds gas) for the contract deployer.

Theoretically, the minting amount is limited to the capacity of an entire block. Based on a typical gas level of 3 Gwei on the BSC, this would deduct approximately $60 worth of BNB from the attacker’s wallet.

When users encounter the notification to revoke their approvals and proceed with the revocation, the minted $CHI tokens are sent to the contract deployer’s wallet.

As of the time of 0xblanker’s report, the deployer had already obtained around 70k $CHI tokens, valued at $400.