Wallet Drainers Can Bypass Security by Exploiting EIP-712 Normalization

Recent phishing scams indicate criminals are bypassing wallet security systems with numerical address manipulation

Glass water pipes filled with Bitcoins
EIP-712 enables structured data encoding in Ethereum transactions

With advancements in cybersecurity, wallet drainers are becoming increasingly sophisticated, employing new tactics to circumvent security measures. A recent update in scam toolkit evolution was unveiled by the team behind the ScamSniffer real-time anti-scam solution. In collaboration with cybersecurity experts from SlowMist, ScamSniffer uncovered the exploitation of the EIP-712 normalization process, enabling wallet drainers to deceive security systems integrated into certain wallets.

Read also: Exit Scams Surge Dramatically in February, Surpassing $58 Million in Losses

EIP-712, an Ethereum improvement proposal, focuses on standardizing the procedure for encoding typed structured data in Ethereum transactions, enabling a more comprehensive representation of data during message signing. Normalization refers to the process of converting structured data into a canonical form before transforming it into a hash, necessary for signature generation and verification.

A recent phishing attack studied by ScamSniffer and SlowMist revealed that existing wallet security alerts can be bypassed if a drainer passes numerical addresses, which makes "the verifyingContract in the EIP-721 signature request is unreadable on the UI."

The normalization process converts numerical addresses into a hexadecimal format, making them appear differently to the wallet's security system and posing challenges for users in identifying the actual smart contract associated with the transaction.

ScamSniffer conducted tests on popular browser extension wallets to assess their vulnerability to this technique. "The tests found that most wallets support value normalization," ScamSniffer reported, adding that "Some display the associated token for the ERC20 Permit signature through 'verifyingContract'".

MetaMask, Rabby, Rainbow, OKX Web3, and Token Pocket are among the wallets that supported normalization at the time of publication.

Most recent phishing cases

While exploiters of wallet drainers seek out vulnerabilities to pilfer assets, the market sees a proliferation of such products.

Trading Protocol co-founder Mikko Ohtamaa has recently shared with the X community an advertisement for a wallet drainer named May Drainer. The post touted its capabilities, boasting over four hundred wallets, five hundred website templates, and compatibility with various chains including Ethereum, Optimism, Cronos, BNB Smart Chain, and Gnosis, covering both tokens and NFTs.

May Drainer advertisement
Source: Mikko Ohtamaa, X

Furthermore, the drainer reportedly prioritizes draining high-value funds such as ETH, USDT, USDC, BUSD, DAI, APE, FLOKI, and SHIBA. The May Drainer seller offers four package types, from the Basic Plan at a one-time fee of $699 to the Premium Plan at $2499. Its developers claim it's a "complete turnkey solution" requiring no coding skills.

In another instance, Ohtamaa encountered a seller advertising scripts claiming to bypass all transaction simulations for 10 ETH, approximately $37,000, bundled with other materials for phishing campaigns, promising to circumvent MetaMask's latest update and conceal asset amounts in transaction details.

Meanwhile, ScamSniffer continues to uncover significant losses in the cryptocurrency community.

In a recent incident, a user lost over $800,000 worth of Aave ETH and Frax ETH after signing multiple ERC20 Permit signatures. This followed an even larger theft of $1.72 million worth of Lido ETH, where the victim signed an IncreaseAllowance transaction. Additionally, two PEPE investors suffered a combined loss of $1.1 million in memecoin, signing phishing signatures from fraudulent websites. One of them signed Increase Allowance and the other Uniswap Permit2.

Read also: Web3 Security Jobs: Blockchain Security Industry Specialists Wanted

Phishing statistics

Despite increased awareness of phishing threats, malicious actors continue to target cryptocurrency users, siphoning off their assets. While ScamSniffer has yet to release its February statistics on scam incidents, January's data shared by the team with the crypto community revealed a staggering total damage of $54,956,586 million, with 40,700 victims falling prey to phishing scams.

The Ethereum and BNB chains bore the brunt of these attacks, with 19,360 and 12,544 victims respectively. Ethereum also suffered the largest losses, exceeding $39.425 million, while Arbitrum incurred losses surpassing $7.56 million, outpacing BNB's victim losses of nearly $4.716 million.

In January alone, ScamSniffer identified around 11,000 phishing websites and monitored the activities of eight wallet drainers.

Looking back at the previous year, ScamSniffer detected 324,082 cases of theft via phishing scams, resulting in total damages nearing $295.48 million.