Starting on January 11th, our team Google searched for “Synapse Bridge” in order to bridge funds. During our routine product testing, we clicked on the first result. When we went to connect Fordefi’s wallet to create a bridge transaction, we got the following risk alerts when producing an allowance request.
|
|
Our risk alerts in the browser extension raised a flag, informing us that we were attempting to give an allowance to a non-contract address, in other words, an address that is controlled by another human rather than a blockchain application. Giving allowance to an EOA (externally owned account) is commonly known to be malicious since we can’t enforce a legitimate usage of the allowance. This is in contrast to contracts, where the source code can be examined and verified. Hence, if you get an allowance request from an EOA it will almost always be an account trying to impersonate a contract with malicious intentions.
Realizing that something had gone wrong, we retraced our steps to identify the mistake. We discovered that we had unintentionally attempted to interact with a phishing attack when we clicked on the Google ad link below, leading us to a fake website impersonating Synapse.
Looking at the Google ad again (see below image), we realized the phishing attempt was quite sophisticated. The ad was indistinguishable from the real (non-ad) result, and even the URL presented was the correct URL. However, once you clicked on the Google ad, the ad actually redirects to “trackgooglemono.com,” which redirected to the malicious Synapse Bridge dupe site.
Watch the full video on our Twitter linked below.
When searching for the attacker(s)’ address (the one they requested an allowance for), it was clear they had set up a few of these scams the past few days and were able to drain a sizeable amount of funds. We immediately reported the ad to Google and started publishing the information through Twitter as this was an ongoing attack and we could still help people avoid being drained.
We urged users to go and revoke their allowances to this address, in case the attackers had not yet consumed the allowances (this is a common practice to consume all allowances at once, and not throw attention until then). For our own customers, this would be much easier as we have our native allowance management page in our web console, letting them revoke or edit all their allowances in an easy and safe manner.
We could see that the attackers had many “setApprovalForAll” transactions which are used to drain entire NFT collections (among 2 Mutant apes and an Azuki NFT), so we can assume the scams were widespread across the ecosystem. The attackers had gained allowances to 34 addresses on Ethereum, 35 addresses on Polygon, and 74 addresses on BNB chain. We started labeling the addresses to which the attackers funneled stolen funds. One address had deposited $180K worth of ETH to Binance so we labeled it “One stop before Binance”, only to wake up the next morning and see the attackers had drained 920 ETH (~1.4M$) in one transaction! The attackers then moved on to fund a new address which we labeled “Gate.io depositor” through which they ended up depositing 1080 stolen ETH (~1.7M$) to Gate.io.
We shared this information on Twitter as it was happening and reached out to Gate.io, informing them of the fraudulent funds that were deposited to their exchange. Gate.io responded quickly by freezing the stolen funds and are now undergoing an investigation.
On-chain interactions are full of risks and at Fordefi we are working diligently so that our customers can feel safe when transacting and have full visibility into their on-chain interactions.
Fordefi’s MPC wallet platform and web3 gateway enables institutions to seamlessly connect to dApps across networks, while keeping digital assets secure. Fordefi is the first institutional wallet and security platform purpose-built for DeFi. Fordefi was founded in 2021 by crypto custody and cybersecurity experts, and designed in close collaboration with crypto industry-leading trading firms, funds and custodians.