Never enter your original confidential information (private keys, key store files and mnemonics) on networked devices and any web pages.
Original Title: “Introduction | How to Beat Ethereum Scavengers and Save Your Assets”
Written by: Harry Denley
Translation & Proofreading: Min Min & A Jian
You have never had such an experience: After sending a sum of money to an account, the money disappears? You may have been poisoned by the “scavenger”. We are here to help you resolve the crisis.
If your private key is stolen, the perpetrator will usually arrange a “scavenger” program to monitor your account, and then wait for the opportunity to eat the assets in your account-whether you deposit ETH or other tokens in this account , I still received the airdrop, or there is any similar situation.
This article outlines how “scavengers” eat up user assets, and provides three ways to save funds that have not been eaten (such as deposits).
How did the user’s private key leak?
We have recently seen many users posing as administrators of Telegram groups, and then offering “help” to users on the main channels of these legal groups (although they are not real administrators, they copied the introduction of the real administrator, but only slightly The user name has been changed). Counterfeit administrators usually use professional skills to confuse users and share links to seemingly legitimate websites (because of brand endorsements). These sites will require users to provide a private key or mnemonic phrase.
Then your tokens are gone, and there will be “scavengers” to start monitoring your account.
Here is an example of a phishing website:
Thanks to researcher @dubstard for spotting a lot of activities pretending to be WalletConnect!
How does a “scavenger” work?
“Sweeper” is a piece of code used to monitor the blockchain (including the transaction pool, technically speaking, the transaction pool is not on the chain). It has a faster response speed than humans, and signs specific transactions that comply with the rules in accordance with a programmed procedure.
In other words, the “scavenger” can’t see you. It doesn’t know that you are viewing your address on the blockchain browser or “connecting” your address to the user interface of a certain dApp. It will see your activity only when you sign a transaction and broadcast it to the network.
Over time, “sweepers” and phishing scams that use “sweepers” are also evolving.
The evolution of “scavengers”
In 2017, a type of scam was very popular, using tokens that have a lock function [that is, unable to successfully call transfer() ] and a price feed. Dave Appleton published an article exposing such scams.
In this type of scam, the scammer will first obtain the tokens that can be locked, but the block explorer will still provide the price of such tokens [the most popular of which is Minerum (MNE)]. Then, the scammer will (pretend to unintentionally) publish the private key of the address where the token is stored, tempting the victim to take the token from the address. In order to withdraw the tokens, the victim will transfer ETH to this address as a gas fee. However, the scammers have long arranged for a “scavenger” to transfer the ETH transferred from the victim to his account at a rapid pace. In theory, locked tokens are considered worthless, so scammers try to recover some of the locked-up value from unsuspecting greedy users.
Today, the hacked address has been placed on a large scale with the basic ETH “scavenger”. There are also some scam groups that use more logically advanced “scavengers” that will eat ERC 20 tokens based on the feed price.
Some time ago, I researched a hacked address and found that these “scavengers” are still evolving:
1) “Sweepers” like to eat high-value assets, even if it means more transaction fees.
2) “Sweeper” will use all available ETH to steal as much value as possible, and the probability of its transaction winning on the same nonce is high.
3) “Sweeper” has a matching engine that matches its native tokens with pledged tokens (ie, xKNCa = KNC) in order to get the price of pledged tokens.
4) “Scavenger” has its own internal nonce counter. If the highest nonce is not confirmed (or discarded/replaced) within a period of time, it will periodically reset the nonce to the output of eth.getTransactionCount() .
5) We can see through some on-chain activities that if a high-value asset becomes the prey in the eyes of the “sweeper”, the “sweeper” will even transfer some ETH to the relevant account as a gas fee, so that it can be used quickly. Assets are transferred from the account.
6) Some “scavengers” will set a minimum threshold for asset value. “Sweepers” will not eat assets below this threshold. This means that you may not notice that there is a “scavenger” in your account. Think carefully.
Given that we first wrote an article on “Sweepers” in 2017, today’s “Sweepers” are no longer what they used to be. They can help operators maximize their profits and maximize victims’ losses.
Stop it! Scavenger!
How to defeat the “scavenger”?
First of all, as a human, you are not faster than code, so our solution will involve code. Here are several different solutions for you. Although it is not guaranteed to be 100% effective, there is always one suitable for you.
You need to create a list of tokens you want to save (in order of priority) so that you can easily plan. This list needs to include the following:
- Token contract address
- Whether the token has been used for staking (whether there is a time limit for unlocking)
- Can the token be transferred
- Token value (determined by the user’s subjective judgment or USD value in order to determine the priority)
Most importantly, you must be methodical in order to execute the program quickly and effectively. As the wise saying goes: “Everything will be established beforehand, and nothing will be abandoned if it is not foreseen.”
Use Taichi Network
The principle of operation of “Scavenger” is to monitor transactions in the transaction pool that transfer funds to the “prey” address. In this way, the “scavenger” can sign another transaction and broadcast the transaction before the transaction is confirmed, thereby taking away the transferred funds.
Tai Chi Network allows you to directly submit signed transactions to miners (ie, Spark Mine Pool) without broadcasting them to the public transaction pool. This means that your transaction will enter the blind spot of the “Scavenger” and will not be robbed by the robot of the “Scavenger” (at least in my experience).
Image source: TAICHI.NETWORK
The specific method is to sign all your transactions in advance in nonce order and submit them to Taiji Network programmatically. Most “scavengers” only monitor the eth_getBalance transactions waiting to be packaged in the public transaction pool, and will not call eth_getBalance each new block (this is to save CPU cycles and RPC calls). In other words, the “scavenger” cannot see the ETH sent to the “prey” account through the private transaction pool, and will not eat it.
You need to do some calculations to ensure that the ETH sent to the account as a gas fee can be fully utilized for each signed transaction. If you are accurate, the “Sweeper” may fail to run away! (Usually, I will set the gas fee to a few percentage points higher than the reference value of “Rapid” on GasNow by default, so as to increase the probability of the transaction being packaged into the next block.)
You can use MyCrypto to generate transaction signatures offline and send them to the Taiji network when you are ready, or use ethers.js (or other code libraries) to write code to create signed transactions.
Use smart contracts with self-destruct function
This method is similar to using the Tai Chi network. We can use smart contracts to transfer ETH to the account without exposing the transaction in the public transaction pool. To this end, we can deploy a smart contract through a secure address and send ETH to the hacked address through its constructor (this will be an internal transaction).
pragma solidity >=0.7.0 <0.9.0;
contract MoveETH {constructor(address sendToAddress) payable {address payable addr = payable(address(sendToAddress)); selfdestruct(addr); }}
`By deploying this contract, we can send the string of ETH and the hacked address to the parameters of the constructor. The contract will be created and self-destruct in the same transaction. Among them, `selfdestruct()` means that we will clear the blockchain state of the contract in the same transaction (so this contract is a one-time) and send ETH to the hacked address. `
example:
https://goerli.etherscan.io/tx/0x82ccb222eae55aaea73dd0efee1ea6ed7320f880889f280d4a343b8823f86692
Please note that although this method is effective, it will increase the cost because we are not just transferring ETH from one account to another. This method requires a cost of approximately 70,000 gas. When the gas price is high, the gas cost alone is as high as 0.0112 ETH.
Next, we will broadcast the pre-signed transaction from the hacked address through the Tai Chi network (public nodes can also be used here, please set all the ETH balance in the account as a gas fee, so as not to be rushed by the “sweeper” ( At least try to reduce this possibility), because in this case, the “scavenger” must send more ETH to the hacked account to win the gas bidding).
Use Flashbots
Generally speaking, we need to pay ETH to get the transaction on the chain (because the transaction fee is paid by the transaction sender). However, with Flashbots, we can put transactions from external accounts on the chain without paying gas fees (ie transaction fees), and simply use funds in another account to “bribish” miners. In other words, we don’t need to transfer a sum of ETH to the hacked address as a fee to withdraw the tokens from this address . That’s right, that’s it!
This scheme requires two accounts-a hacked account and an account used to bribe miners.
The Flashbots team has released a project called Flashbots/searcher-sponsored-tx, which introduces the basic principles of how to put transactions on the chain through this scheme.
We will use funds in another account to pay transaction fees, so there is no need to have ETH in the hacked account. In fact, we wish that there is no ETH in the hacked account. After all, the last thing we want to see is that scammers/”sweepers” realize that we want to withdraw funds and use the original ETH in the account to rob us.
In order to ensure that there is no ETH in the hacked account, we strongly recommend that you run a burner bot.
We usually recommend running the burner robot on more than one machine and using a different RPC node for each instance. For example, use Infura to run a burner locally, and use another provider (such as Quiknode) to run a burner on a remote server. This allows redundancy to prevent problems such as high network latency or node failures (for example, rate limiting, synchronization issues, etc.).
The code in Flashbots/searcher-sponsored-tx needs to be modified according to your specific needs, but there is an engine that can help you save the tokens in the hacked address. The Flashbots engine is highly flexible and can support a single transfer() call, or unstake() and transfer() calls.
If you don’t understand the code, you can also try the Flashbots UI provided by @kendricktan/flashbots.tools: https://flashbots.tools/ .
Make an advertisement : If the above scheme is too difficult for you, you can also ask us for help, and we will charge 5% of the recovered funds as remuneration. Although we also want to provide this service for free, our time is really limited due to too many requests. We will use the income from this service to promote the safe development of the blockchain industry!
Thank you for your understanding.
If you want to get this service, please send an email with the subject “Account Sweeper-Requesting Assistance!” to support@mycrypto.com .
The above email address is the only way to ask for help. We will not promote the service on Telegram, Discord or other places to avoid additional risks.
How to fundamentally avoid “scavengers”?
The best preventive measure is of course to protect your address from being invaded by the “sweeper”, so you don’t need to fight the “sweeper”.
In recent years, we have seen negative examples on the UI of some apps-allowing users to use original confidential information on the dapp interface. This is a very unsafe practice and should not be encouraged.
Never enter your original confidential information (private keys, key store files and mnemonics) on networked devices and any web pages.
We recommend using a hardware wallet to ensure that the private key is stored on a separate device-if you use MetaMask to interact with dApps, MetaMask recently released an update that allows users to use multiple hardware wallet addresses.
- Buy Ledger
- Buy Trezor
If you use a mobile device to interact with dApps, we recommend using WalletConnect to sign messages (note: WalletConnect will never ask you to provide confidential information).
Source link: blog.mycrypto.com
