The world of cryptocurrency has been shook recently, with news coming out recently that a loophole on the Ethereum blockchain has been exploited by hackers, who have gone ahead and stolen millions of dollars from unsuspecting users.
The scary things is that this heist has been on for close to six months, and in this time, the hackers have managed to scam close to 100,000 users not giving up close to a staggering $60 million!!
But, how did they do it?
The hackers in question, used an exploit known as Create2. What this does, is it creates a temporary address that closely mimics the actual address of a crypto transaction. This technique, also know as address poisoning, allows the user to predict the address of a transaction before it is even deployed on the Ethereum network.
Usually, when someone wants to perform a transaction online, they follow a typical pattern –
- They cross check whether the recipient’s details are correct.
- If the recipient is new, they first send a small amount to see if the receiver gets the payment.
- If the receiver successfully receives the token payment, the rest of the amount is sent.
Now, when it comes to crypto payments, the payment address is a long string of alphabets and numbers, and it becomes a bit cumbersome to manually verify the complete address before a transaction. This has led to people adopting a rather half-baked approach, where they verify only the first few and last few characters of the address. This is where the hackers’ exploit comes into play. Since most people ignore the middle characters, it becomes easy for them to manipulate the addresses to suit their nefarious intentions and the common man suffers in the process.
The way the hackers operate is that they send the test transaction to the actual receiver address, while the bulk remainder payment is then forwarded to a smart contract that receives the payment and then the hackers withdraw the same into their accounts.
So far, the biggest amount they have scammed from an individual account is $1.6 million, and that just shows how dangerous this ahold affair is. Those of you who are still transacting in cryptocurrency, please ensure that you check the entire virtual address of the receiver before making any transactions.