Inside The Scammer's DApp

With Chrome Dev Tools, I was able to look inside the client code of https://u2e-free.com. This site is the scam dapp that drained all my USDT after my Coinbase Wallet granted them unlimited spending of my USDT.

The site is a single-page web application written in Vue.js v2.6.12 and web3.js. Below is the tree view of the site.

The application supports two different languages in its UIEnglish and Chinese, with English as the primary language. I concluded that English is the primary language because there are untranslated texts for the Chinese version as shown below.

Next I will focus on the code that implements the Receive button. This is the most important action because it is what obtained the permission to spend unlimited USDT from victims' wallets.

Below is the receive function that implements the action.

The function above does the following:

  1. Obtain the USDT Contract
  2. Get the estimated gas price and validate the victim's wallet Ether balance
  3. If everything looks right, execute the highlighted line

Here is that highlighted line again:

That line will eventually call the Solidity code below for the USDT Contract if certain conditions are met.

The method takes in 2 parameters: (1) address of the spender and (2) the amount that can be spent. The following values are passed:

  1. 0x02FABFD6d5608977d5952D9EF071445420c47Efd - the address of the spender. They have updated this to a different address from the one that stole my fund: 0x7E72b68D841CA119C04b555b17409a1C96877Ed7
  2. 411256436224324320870982430867023952481793415358246197461731293 - an unlimited value to spend

Wow! The receive function is requesting an approval to spend unlimited USDT from the user's wallet to an external address. It is using web3.js, "a collection of libraries that allow you to interact with a local or remote ethereum node using HTTP, IPC or WebSocket."

Web3.js by itself would not do much without a given wallet provider because it cannot sign transactions. All transactions must have a signature "generated when the sender's private key signs the transaction and confirms the sender has authorized this transaction." This is what u2e-free.com looks like when there's no wallet provider:

Thus, a major component required to complete the approval transaction is the wallet provider with access to the owner's private key. This wallet provider is Coinbase Wallet, so the approve action must go through Coinbase Wallet's code, which is in requestRelay.js inside Coinbase Wallet Extension, as seen below.

Because Coinbase Wallet is the component with access to the user's private key and responsible for signing transactions, it is also responsible for informing users of what is going on behind the scenes.

Sensitive actions (such as granting access to fundsunlimited spending of USDT in this case), if implemented, must be handled with care and cannot be poorly done, especially for a cryptocurrency wallet that manages people's money.

Victims of this scam know how severe the consequence is if this cannot be done properly after suffering from a major financial loss. Being a promoter of dapps and providing this feature to users, Coinbase must be extra careful when implementing this functionality, especially for a company of its size and the trust that people have in it.

We will now take a look at how Coinbase Wallet is dealing with that malicious approval request from the scam dapp. If this request is approved, the scammer can take all USDT from the wallet currently and all USDT added to it in the future, up to 4112564…293 USDT.

Since I am using Coinbase Wallet Extension to look inside the code, I will first show how Coinbase Wallet Extension handles the signing of unlimited USDT access approval to a wallet with the video below.

The video shows that there is no notification at all of what is going on behind the scene. Users would most likely believe that they are confirming a transaction to purchase a voucher while exploring this decentralized web on their browser. They would not know that by confirming this transaction, they are giving out unlimited access to USDT to their wallet.

On a mobile application (Android/iPhone), Coinbase Wallet does a slightly better job of informing users of what's going on. It has a Confirm Payment dialog that looks like this.

However, I believe this is still a really poor job of informing users of what they are about to sign. Here's why:

  • The title of the dialog is Confirm Payment. This leads users to believe that they are confirming a payment for the Voucher.
  • The message "This dapp is requesting an action, which could take money from your wallet…" can easily be ignored. There is no visual indicator, i.e. a warning sign (⚠️). The text is in plain black with regular font size, as opposed to the all caps Network Fee text, where users can quickly note the price they would spend. Hence, users only focus on this and may quickly confirm the transaction.
  • If users do read the message, the plain message could easily be understood as the site is going to take the money from the wallet for the Voucher at the time of signing the transaction only, not sometime in the future. There is no interface inside Coinbase Wallet showing approved transactions or a way to revoke them. The approval transaction that grants access to an external address showing in Coinbase Wallet is no different from a regular transaction.
  • There is no indication of how much the dapp is requesting to access, even though this value is a major parameter of the approval transaction.
  • Coinbase Wallet is exposing the ability for all dapps to execute this Smart Contract method that is not familiar to the majority of users. The approve method of Smart Contract and its concept is actually quite advanced, perhaps only dapp developers would be familiar with the concept.
    • Even Coinbase Support specialists do not know of the concept if we look at their response to victims' issues. Their answers for victims is that these victims may either authorized outgoing transactions or leaked their recovery phrase. There is no explanation to victims that authorizing transactions can also be done by approval transactions.
    • There are no resources from Coinbase on this concept. There is no help document on the special Confirm Payment dialog that grants an external address to access the user's funds if confirmed. There is no example of dapp phishing found on Coinbase's examples of scam and phishing pages.
  • The inconsistency of handling the approve method of the Smart Contract between the browser extension and mobile application indicates that the process is not well thought out.

Thus, it is a major negligence for Coinbase to release this Coinbase Wallet software to all users and promote it as industry-leading security. The consequence is that users who trusted in Coinbase's reputation and the security of Coinbase Wallet suffered severely from this negligence.

Comments

  1. AnonymousSeptember 15, 2022 at 2:32 AM

    True, lets file a legal law suit against coinbase

    ReplyDelete

Post a Comment

Popular posts from this blog

DApp Phishing in Coinbase Wallet - I Lost Over $50,000

Image
A few days ago, all my money, $58,797, in my Coinbase Wallet drained from my wallet without me knowing about it until I opened my wallet. I believe there is a major security issue in Coinbase Wallet where users can easily get phished to give a DApp (Decentralized Application) to take control and grant spending permission to an external entity. My empty wallet 😢 Contacting Coinbase/Wallet Support , which is the only way I know of to reach out to them, was not helpful. All they said is that I may have leaked the recovery phrase, without looking into the details I provided . I found a recent review on Google that describes the situation really well. A recent user review on Google Play Store. I am going to describe what happened in details. My brother-in-law showed me his Coinbase Wallet a few weeks
Read more