introduction
False recharge attack means that the attacker sends forged transaction information to the wallet address of the exchange by taking advantage of the loopholes or system errors in the exchange’s processing of recharge. These forged transaction information are mistaken for real recharge requests by the exchange. And add the corresponding digital asset or currency to the attacker’s account. Attackers can use this method to obtain unpaid digital assets, resulting in the loss of exchange assets.
This article aims to deeply explore how fake deposit attacks can break through the defense mechanism of exchanges. We will analyze the principle of the fake top-up attack and reveal the loopholes and strategies exploited by the attackers. At the same time, we will analyze the fake top-up attack through examples to better understand the attack method and impact. In addition, we will also discuss emergency and preventive measures for exchanges to deal with fake top-up attacks, in order to provide suggestions for protecting assets and responding to similar attacks.
Recharge principle analysis
Before understanding the fake recharge, we need to understand the recharge principle of the exchange.
A typical process is as follows:
1. Wallet address generation
The exchange assigns each user a unique wallet address for receiving the user’s recharge. These addresses are usually automatically generated by the exchange’s systems. When users recharge, they need to send digital assets to a specific wallet address in the exchange account.
2. Blockchain ledger scanning
The nodes of the exchange will synchronize with other nodes in the blockchain network to obtain the latest blockchain status and transaction information. When the exchange node receives a new block, it will extract the user’s recharge transaction ID and the corresponding amount from the transaction content contained in the block or the transaction execution event triggered by the block, and add it to the list to be recharged.
3. Confirm deposit
Exchanges typically require transactions to be considered valid after they have received a certain number of confirmations in the blockchain network. Confirmation means that the block of the exchange is referenced by a certain number of blocks and verified and confirmed by other miners. The number of confirmations set by an exchange can vary for different digital assets and networks.
as the picture shows:
(Fake recharge attack occurs in steps 5 and 6)
Fake recharge attack mode
Exchanges are the hardest-hit areas for hacker attacks, so exchanges usually put servers behind a heavy defense system, and even offline hosting for the core services of managing funds. However, due to the data integrity requirements of the blockchain system, malicious transactions will not be intercepted by the peripheral security system.
It should be noted that the fake top-up attack is not a loophole in the blockchain, but that the attacker uses some characteristics of the blockchain to construct a special transaction. These malicious transactions will make the exchange mistakenly believe that it is a real recharge request, or process the same recharge request multiple times. After a long period of actual combat, the SlowMist security team has summed up several common fake top-up attack methods:
Since 2018, the SlowMist security team has disclosed multiple fake top-up attacks, including:
- USDT false transfer security risk analysis
- EOS fake recharge (hard_fail state attack) red warning details disclosure and repair plan
- Ethereum token “false recharge” vulnerability details disclosure and repair plan
- Bitcoin RBF false top-up risk analysis
In addition to these public fake recharge attacks, there are many classic attack methods that we have not disclosed, as well as some universal attack methods. For example:
- Bitcoin multi-signature fake recharge
- Ripple partially pays for fake top-ups
- Filecoin double spend fake recharge
- TON rebound false recharge
If you want to know more details, welcome to contact us for an in-depth discussion.
Case Analysis: TON Rebound False Recharge
Almost all blockchains have the problem of false recharge, but some attacks are easy to avoid, while others require in-depth research on the characteristics of the blockchain to avoid it.
Taking the fake top-up of TON as an example, we will show you how cunning attackers use the characteristics of TON to attack exchanges.
TON (The Open Network) is a blockchain project initiated by the well-known communication software Telegram, which supports the deployment of smart contracts on user accounts.
When the exchange recharges TON, according to the method described before, it will first generate a recharge address for the user, and then the user will transfer the assets to the recharge address, and finally confirm the entry.
How does an exchange verify that a transaction belongs to its users? Let’s check a normal transfer through the RPC interface:
Usually the exchange will judge whether the destination in in_msg is the user’s recharge address, and if so, then convert the amount value according to the accuracy and credit it to the user. But is it safe?
TON transactions have a feature that almost all internal messages sent between smart contracts should be bounceable, that is, their bounce flag should be set. That way, if the target smart contract doesn’t exist, or an unhandled exception is thrown while processing the message, the message will be “bounced” back with the original value of the balance (minus all message transfers and gas fees).
In other words, if a malicious attacker transfers money to an account that has not deployed a contract by setting the bounce flag, the recharge amount will be bounced back to the original account after deducting the handling fee. The exchange detected the user’s recharge record, but it did not expect that the recharged currency would return and “bounce” back to the attacker’s account.
Let’s look at this transaction. Compared with the normal transaction, we can find that there is an extra out_msg. This out_msg is the operation in which the funds are bounced back to the original account.
If the exchange only checks in_msg, it will mistakenly enter the account for the attacker, resulting in the loss of platform assets.
Best Practices for Preventing Fake Recharge Attacks
Some basic strategies to prevent fake top-up attacks are:
**1. Multiple confirmation mechanism: **Set multiple confirmation requirements for recharge to ensure that the transaction is considered valid only after it has been confirmed enough on the blockchain. The number of confirmations should be set according to the security of different digital assets and the confirmation speed of the blockchain;
**2. Strict transaction matching: **When screening user transactions from the block, only transactions that completely match the normal transfer mode can be automatically set to the account, and finally check the balance change;
**3. Risk control system: **Establish a sound risk control system to monitor and detect abnormal trading activities. The system can identify potential risks and abnormal behaviors by analyzing recharge patterns, transaction frequency, transaction scale and other factors;
**4. Manual review: ** For large amount or high-risk transactions, additional review will be carried out by manual review mechanism. Manual review can increase the credibility of transactions, discover abnormal transactions, and prevent malicious recharges;
**5. API security: ** Perform security authentication and authorization on external API interfaces to avoid unauthorized access and potential vulnerabilities. Regularly review the security of the API interface, and carry out timely security updates and repairs;
**6. Restriction of withdrawal: ** After the recharge occurs, the user’s withdrawal of the recharged assets will be temporarily restricted. This can give the exchange enough time to confirm the validity of the recharge and prevent potential fake recharge attacks;
**7. Security update: **Update the exchange software and system in time to fix possible security holes. Continuously monitor the security status of the exchange and cooperate with network security experts to conduct regular security audits and penetration tests.
For the prevention of false recharge of a specific blockchain, it is necessary to read through the official documentation to understand the characteristics of the transaction.
Badwhale fake recharge detection system
The SlowMist security team has developed the Badwhale fake recharge test system in the long-term offensive and defensive practice, which is specially developed for the digital asset management platform. The system is designed to help them detect and evaluate their ability to prevent fake top-up attacks and optimize their defense mechanisms to ensure the security of user assets and the reliability of digital asset management platforms.
Badwhale is an exclusive commercial system developed by the SlowMist security team for many years. It has been serving dozens of platforms for many years and has avoided the risk of false top-up of assets estimated to be billions of dollars.
Special feature:
**1. Simulate fake recharge attacks:**Badwhale can simulate various types of fake recharge attacks, and automatically send false recharge requests to the tested digital asset management platform. This helps to assess the weaknesses of the digital asset management platform and discover potential vulnerabilities and security risks;
2. Diversified test scenarios: The system provides a variety of test scenarios and attack modes, which can comprehensively test the counterfeit recharge defense of the digital asset management platform according to the actual situation;
**3. Highly scalable: **Badwhale is designed as a highly scalable test system that supports testing for different digital asset management platforms and blockchain platforms, and can flexibly adapt to the needs of different system architectures and technical environments.
Badwhale currently supports hundreds of public chains and tens of thousands of tokens for fake recharge tests, including:
- Bitcoin Families (BTC/LTC/DOGE/QTUM…)
- BitcoinCash
- Ethereum Families
(ETH/BSC/HECO/RON/CFX-evm/FIL-evm/AVAX-evm/FTM-evm/RSK/GNO/MOVR-evm/GLMR-evm/KLAY/FSN/CELO/CANTO/EGLD/AURORA-evm/TLC/WEMIX/CORE/VS/WAN/KCCL/OKX…)
- ERC20 Tokens (USDT…)
- Ethereum L2 (ARB/OP/METIS…)
- Polygon
- Polygon Tokens
- Cosmos Families (ATOM/LUNA/KAVA/IRIS/OSMO…)
- EOS Families and EOS Tokens (EOS/WAX/XPR/FIO/TLOS…)
- Ripple
- Flow
- Apt
- Solana
- Solana SPL-Tokens
- Conflux
- Polka dot Families (DOT/ASTR/PARA/MOVR/GLMR…)
- Tron
- Filecoin
- Ton
- Mine
- Sui
- Ordinals (ORDI…)
- …
With the help of Badwhale’s powerful functions, the digital asset management platform can conduct a comprehensive fake recharge defense test to understand its performance in the face of fake recharge attacks, optimize its defense mechanism, and improve the security of user assets. The introduction of Badwhale will help the digital asset management platform strengthen security protection, improve the ability to resist fake recharge attacks, and ensure the reliability of digital asset transactions and user trust.
Conclusion
Through in-depth research on the breakthrough methods of fake recharge attacks, we can better understand the importance of digital asset management platforms in protecting user assets and maintaining security. Only by strengthening security defense measures, continuously monitoring vulnerabilities and taking appropriate countermeasures, can the digital asset management platform effectively deal with fake top-up attacks and other security threats, and ensure the credibility and reliability of digital asset transactions.
