Learn about a new scam on Telegram draining crypto wallets through ERC-2612 vulnerability. Stay cautious to protect your funds.

A recent scheme making the rounds on Telegram enables an attacker to siphon funds from a victim's cryptocurrency wallet without requiring the victim's confirmation, as per reports from users and blockchain data.

This fraudulent activity is specifically tailored for tokens adhering to the ERC-2612 token standard, which facilitates "gas-less" transfers or transfers via a wallet devoid of Ether (ETH). Despite not mandating user approval for transactions, the method seemingly necessitates duping the user into signing a message.

With an increasing number of tokens adopting the ERC-2612 standard, such forms of attacks might proliferate.

CoinTelegraph received communication from a user who disclosed a loss exceeding $600 in value of Open Exchange (OX) tokens after engaging with what appeared to be the official Telegram group for the token's developer, OPNX. Unfortunately, it turned out to be a phishing scheme.

Upon joining the Telegram group, the user was prompted to click a button to link their wallet to verify they were not a bot. This action redirected them to a browser window where they connected their wallet to the site, assuming that mere connection posed no risk to their funds. However, within a short span, all OX tokens were depleted. The victim asserted they never authorized any transaction on the page, yet their assets were pilfered.

Upon investigation, CoinTelegraph found the Telegram group featuring a counterfeit version of the Collab.Land Telegram verification system. The genuine Collab.Land system dispatches messages from Telegram channel @collablandbot, spelled with two lowercase "l"s. Conversely, the fake version deployed messages from @colIablandbot, substituting a capital "I" for the second lowercase "l." In Telegram's font, these characters appear strikingly similar.

Moreover, the "connect wallet" button in authentic Collab.Land messages directs users to the URL connect.collab.info, lacking any dashes, while the counterfeit version directed users to connect-collab.info, using a dash instead of a period.

Blockchain data indicates that the attacker depleted the funds by invoking the "transferFrom" function on the OX token contract. Under normal circumstances, this function necessitates the owner's prior invocation of "approve" through a separate transaction, setting a spending limit. However, there's no evidence in the blockchain data suggesting the victim performed such an approval.

Approximately one hour and forty minutes preceding the transfer, the attacker invoked "Permit" on the OX token contract, designating itself as the "spender" and the victim's account as the "owner." Additionally, they defined a "deadline" or timeframe after which the permit would expire, alongside a "value" or token amount available for transfer, set to an arbitrarily large figure.

The Permit function, delineated within lines 116-160 of the token contract's ERC20.sol file, allows a third-party to authorize token transfers on behalf of the owner upon receiving a signed message granting authorization.

This configuration potentially elucidates how the attacker drained the funds without necessitating the owner's engagement in a conventional token approval process. However, it suggests that the attacker coerced the owner into signing a message. Upon being presented with this evidence, the victim acknowledged attempting to connect to the site a second time. This instance, they noticed an "additional signing dialogue" that they likely confirmed unknowingly during the initial attempt.

The Permit function appears to be a nascent feature of certain token contracts, incorporated as part of the ERC-2612 standard, permitting transactions by wallets devoid of ETH holdings. OpenZeppelin, a Web3 developer, outlines the function's purpose as follows:

"[It] can be used to change an account’s ERC20 allowance (see IERC20.allowance) by presenting a message signed by the account. By not relying on IERC20.approve, the token holder account doesn’t need to send a transaction, and thus is not required to hold Ether at all."

Over time, this functionality could facilitate the development of user-friendly wallets exclusively managing stablecoins. However, CoinTelegraph's inquiry has uncovered instances of scammers exploiting this feature to deceive users into relinquishing their funds. Web3 users must remain vigilant as attackers can deplete their funds sans approval transactions, provided they sign a message granting the attacker such authority.

CoinTelegraph reached out to the Collab.Land team for comment. The developers confirmed that the bot and website implicated in this scam bear no affiliation with the authentic Collab.Land protocol. Upon being apprised of this impostor, project developers reported the scam to Telegram.