Cybersecurity Experts Detect a Rise in Predictive Address Attacks

Scammers exploit the "create2" feature enabled by the EVM, allowing them to bypass the majority, if not all, detection tools.

Hacker wearing glasses
The attack involves granting critical permissions to seemingly harmless yet malicious websites.

Today, GoPlus Security, the open-access Web3 security platform, warned cryptocurrency users of an emerging threat. Malicious actors deceive users by leveraging the "create2" feature in blockchain technology to pre-calculate contract addresses.

Read also: Weekly Losses from Web3 Exploits Exceeded $138 Million

"'Create2' is a deployment method that allows for the predictive creation of contract addresses," explains the GoPlus team. This method is utilized by the Ethereum Virtual Machine (EVM) and should not be confused with the original "create" method, which uses the sender’s address and nonce for the generation of a new contract address. "Create2" enables users to generate smart contracts with predetermined addresses. In simpler terms, users can predict the contract address even before their deployment.

Predictive attack transaction
Source: GoPlusEco, X

The primary purpose of this method is to assist developers in their interactions with contracts that have not yet been deployed on the Ethereum network, especially when their deployment requires meeting certain conditions.

Unfortunately, beyond the legitimate uses of the "create2" method in DApps involving counterfactual instantiation, criminals can exploit this feature for their profit. They pre-calculate addresses, trick users into granting permissions to seemingly harmless addresses, and then deploy malicious contracts, taking advantage of the delay between authorization and contract deployment.

Read also: October Web3 Exploits Lead to Over $32 Million Losses

The most unnerving fact about the new type of attacks is the invisibility of attacking addresses to the majority of cybersecurity threat-detecting tools. According to GoPlus, this is possible "since the contract is not deployed at the time of authorization, the attacking address is an empty EOA (Externally Owned Account) address."

GoPlus recommends memorizing URLs associated with commonly used protocols, which will help users distinguish legitimate websites from potential phishing attempts. The cybersecurity team also advises storing legitimate URLs as bookmarks, which can provide a reliable and quick way to access official sites. This reduces the likelihood of inadvertently interacting with malicious or phishing sites that might use deceptive addresses.

"Additionally, be meticulous in checking whether the entity being authorized during signing is a blank (EOA) address, as this might pose a significant risk," the GoPlus team adds.