Fake Request Finance Contract Drains $3M $USDC from Safe Wallet

The Web3 community has experienced a tragic shake with a major crypto security breach. A victim got a sophisticated exploit in which he lost $3.047 million in $USDC. The attack involves a fake Request Finance contract which was linked with a Safe multi-sig wallet.

This breach highlights the fact that even the legitimate-looking batch transactions with hidden malicious approvals can cause the mishap. In this case, the experienced users also suffer and face vulnerability.

Fake Request Finance Contract Makes the System Fool

Scam Sniffer, a platform shedding light on crypto scams, observed that, before the 13 days of the theft, the attacker deployed a malicious contract. The scammer has deliberately designed the Etherscan-verified malicious contract to get a fake copy of the legitimate Request Finance Batch Payment contract.

Both addresses had the same beginning and ending characters, becoming nearly identical. This resulted in difficulty in recognizing the real and fraudulent versions. There was a further execution of multiple “batchPayments” from the attacker to appear as trustworthy.

While using the Request Finance app interface, the victim executed batch transactions. This execution included the hidden approval of a malicious contract unknowingly. Through this approval, the scammer gained access and drained the wallet. After that, he swapped the funds for ETH immediately, funnelling it to Tornado Cash. So now, the recovery of that fund is nearly impossible. 

Industry Response to the Attack and Possible Security Measures

A quick alert was issued by the Request Finance, announcing the deployment of malicious attack having an identical contract. They have cleared that only one person was affected by the attack, ensuring others that they had already addressed the vulnerability.

Besides this, the exact vector involved in the attack is unclear till now. Security experts give a number of possible reasons, including application-level vulnerabilities, compromised frontends, malware or browser extension interference, DNS hijacking, or other injection techniques.

Through this exploit, a growing threat is highlighted, giving awareness of malicious verified contracts and near-identical addresses. To hide malicious approvals, the stealers combine multi-send functionality, even utilizing small and critical oversights for their scam execution.

So, the experts advise users to check and verify every batch approval carefully while cross-checking contract addresses character by character. It is necessary for users to remain vigilant while executing transactions and giving approvals. The app security is essential to prevent devastating losses.