Misconfigurations in smart contracts are being exploited by scammers to create malicious cryptocurrency tokens with the goal of stealing funds from unsuspecting users.
The instances of token fraud in the wild include hiding 99% fee functions and concealing backdoor routines, researchers from Check Point said in a report shared with The Hacker News.
Smart contracts are programs stored on the blockchain that are automatically executed when predetermined conditions are met according to the terms of a contract or an agreement. They allow trusted transactions and agreements to be carried out between anonymous parties without the need for a central authority.
By examining the Solidity source code used for implementing smart contracts, the Israeli cybersecurity company found instances of hidden and hardcoded fees that can’t be changed, while allowing malicious actors to exert control over “who is allowed to sell.”
In another instance, a legitimate contract called Levyathan was hacked after its developers inadvertently uploaded the wallet’s private key to their GitHub repository, enabling the exploiter to mint an infinite number of tokens and steal funds from the contract in July 2021.
images from Hacker News