SlowMist Warns: "Past Approvals Can Still Be a Ticking Bomb"

Some criminals wait for years before exploiting past authorization approvals.

Security guards protecting a wallet
SlowMist has recently received numerous complaints about criminals stealing money through previously granted authorization approvals.

Amid winter celebrations and preparations for New Year’s Eve, the prominent Web3 security firm SlowMist issued a warning on X regarding prevalent authorization issues involving past approvals.

SlowMist explains that "past approvals can still be a ticking bomb," underscoring the importance of conducting a final audit this year and revoking any unnecessary permissions.

Read also: One-Third of Stolen Crypto in Top 2023 Exploits Funneled Through Bitcoin

According to SlowMist, many cryptocurrency users consciously and unconsciously "clicked on 'Approve authorization' at some time in the past." However, the abuse of authorization approval does not always happen immediately after this event and victims may forget about approving authorization before it is exploited.

Quite often approved authorization allows malicious actors to steal funds through a seemingly simple transaction that neither requires sophisticated methods such as "a chain off permit/permit2 signature method," nor does it involve any other contract vulnerability allowing arbitrary authorization, or a create2 method.

SlowMist Theft Transaction Details
Source: SlowMist, Medium

For instance, in one of the cases reported to SlowMist, the abuse of the authorization approval occurred over two years after the user granted such approval. In this particular case, the malicious authorization was given on November 9, 2021, whereas the USDT-BEP20 unauthorized transfer transaction took place on December 16, 2023.

In the described transaction, the process unfolded in two main steps. Initially, the method 0xe473d7ed of the contract address 0xcc4187 was invoked to check the balance of the stolen address and the allowance authorized to the malicious contract.

Subsequently, the malicious contract, identified as TransparentUpgradeableProxy, executed method 0xe5ee9334 of the Proxy contract 0xd367b5. This involved verifying the role permissions of the contract address 0xcc4187. Acting as the message sender, the malicious contract then triggered the ''transferFrom'' function of USDT-BEP20, facilitating the transfer of Token assets authorized to the malicious contract to the hacker's profit address 0xFf6F.

According to SlowMist, the hacker has stolen nearly $200,000, while "the initial funds of the hacker originated from 0.098 BNB transferred from Tornado Cash, and the hacker used platforms such as Venus, PancakeSwap, DinosaurEggs, and WombatExchange."

Based on the detailed analysis, the SlowMist team suspects that the address involved in the exploit may be connected with the Kingfund Finance rug pull project, which caused the loss of nearly $141,000 for its investors.

Read also: 18 Top Crypto Tools for Trading, Analysis, Management, and More

When might you have clicked on ''Approve Authorization?''

If you are an active cryptocurrency user, you may have already approved authorization numerous times. It is recommended to revoke this approval wherever it is not required anymore, especially if it was granted accidentally.

You may have come across ''Approve Authorization'' prompts to enable specific transactions, including participating in yield farming, providing liquidity, or swapping tokens. Interacting with smart contracts, working with token allowances, and using NFT gaming services may also prompt you to approve authorization.

In addition, certain dApps may encourage their users to click on ''Approve Authorization'' for the sake of an improved user experience.

While trust in a project and a lack of understanding of the implications of approving authorization are the primary factors causing this issue, FOMO (Fear of Missing Out) also compels cryptocurrency users to make hasty decisions. Under the pressure of the desire to seize all lucrative opportunities in the crypto space, many users make decisions without thorough consideration.

Protect your funds by revoking authorization approvals

The delayed exploitation mentioned above is just one potential scenario involving authorization approvals you would like to avoid.

Obviously, approving authorization for a project that turns out to be a rug pull down the road can have serious financial implications. The same goes for cases when scammers convince their victims to approve authorization for the sake of phishing attacks. Furthermore, if the project where you approved authorization turns out to have any vulnerabilities, your funds can be potentially affected in case of exploits.

Moreover, you may also fall prey to an entire chain of authorization attacks, where further approvals will be triggered by previous ones.

Even if no such illegal actions affect you, always keep in mind the possibility of protocol changes in the future that may have serious consequences for users who have approved authorizations.

"Do a year-end audit and revoke unnecessary permissions. Start off 2024 fresh and secure," SlowMist recommends.