Security researchers are sounding alarm about rising cryptocurrency attacks involving the abuse of Ethereum's Create2 opcode to drain crypto assets from users’ wallets.
Ethereum's Create2 function, a successor to the original Create function, was introduced during the Constantinople upgrade and allows for the deployment of smart contracts with deterministic addresses before the contracts' bytecode creation. While hailed for its efficiency and predictability in smart contract interactions, Create2 has unwittingly become a tool for malicious actors to bypass traditional security measures, researchers from cybersecurity firm Check Point said.
The attack method involves tricking users into approving transactions for smart contracts that haven't been deployed yet. Once approval is granted, attackers deploy malicious contracts to the predetermined addresses, effectively hijacking transactions and draining victims' cryptocurrency wallets.
Most existing security solutions are ill-equipped to detect threats stemming from interactions with future contracts, leaving users vulnerable to exploitation.
The attack involves a multi-step process described as follows:
Deception: Attackers convince victims to approve or increase the allowance for a yet-to-be-deployed contract, exploiting users' trust in the Ethereum ecosystem.
Stealth Deployment: Since the contract doesn't exist at the time of approval, it evades detection by conventional security solutions, which are unable to identify threats in non-existent contracts.
Exploitation: Once authorization is secured, attackers swiftly deploy malicious contracts, siphoning funds from victims' wallets with ease.
The consequences of such exploits can be dire, as illustrated by a recent incident where a user lost $3.5 million due to this weakness. The victim approved a transaction for a contract that hadn't yet been created. Shortly after approval, the malicious contract was deployed, and funds were swiftly transferred to the attacker's address.
Last year, a malicious operation was exposed that weaponized Ethereum's “Create2” function to steal about $60 million worth of cryptocurrency over a six-month period.