Unidentified contracts sending zero balance (USDT / USDC) from my wallet

 

Update: As of mid-December 2022, Etherscan has begun to identify transactions that are classified as "spam." In the screenshot provided below, you can observe that the spam transaction is displayed in a greyed-out format and includes a warning to alert users.

 

 

What has been happening?

Since Monday, November 28, 2022, at approximately 9 AM, we have noticed that several customer accounts have been impacted by what appears to be a malicious attack. This situation presents itself when a customer unexpectedly receives either a Webhook or an iOS push notification regarding an outbound USDC or USDT transaction that they did NOT initiate.

 

How am I affected?

First and foremost, it is important to reassure you that your funds are secure. The notifications you are receiving are simply the result of an individual, whom we will refer to as a "spammer," attempting to "pull" zero tokens from your wallet address to another address. The nature of on-chain contracts for USDT and USDC, which are beyond our control, allows such transactions to occur. If the spammer were to attempt to "pull" a non-zero amount of tokens, the transaction would correctly fail, ensuring that your funds remain untouched.

 

Am I paying for the gas?

No, you are not responsible for the gas fees associated with these transactions. Since the spammer is the one initiating the transaction, they are the ones who will incur the gas costs.

 

What is the spammer trying to do?

Our best hypothesis regarding the spammer's intentions is that they aim to create confusion among users by sending spam transactions shortly after valid transactions involving similar addresses. This tactic is likely designed to trick users into mistakenly sending funds to them in the future. We have observed that some of the spammer addresses closely resemble valid addresses, often sharing two or three matching digits at the beginning and four or five matching digits at the end of the address.

 

This similarity poses a risk, particularly if individuals are only checking the first few and last few digits of the addresses. A careless glance could easily lead to an error.

 

For example, consider the following sample transactions:

 

This is a legitimate transaction involving a transfer of 10,000 USDC to the address: 0xc0485e5d3fab6ca12ec55594cb8c0f1f9adaae0b.

 

In contrast, this is a spam transaction attempting to pull 0 USDC to the address: 0x46443c0bb379a20767168c02954eaadc1adaae0b.

 

In this particular instance, while the spam address does not share any initial characters with the "real" address, the last seven characters are identical. This resemblance could easily mislead someone into believing that the transaction is legitimate.

 

Both transactions originate from the address: 0x6be602bad7d5f7033b7d4a6040e5d67e458c4b4a. However, only the first transaction has successfully transferred tokens (10,000 USDC), while the second transaction, despite its similar appearance, has transferred 0 tokens.

 

Why am I getting a notification?

The reason you are receiving notifications is that when the spammer attempts to "pull" funds from your wallet, it constitutes a valid on-chain transaction. They utilize the ERC-20 method known as transferFrom or a batch version of it. Typically, the transferFrom method is used in conjunction with the approve function, which allows another address to "pull" ERC-20 tokens on your behalf. However, in this case, the spammer is attempting to "pull" a zero balance, meaning the contract does not check whether you have granted them permission, as a zero token amount does not affect your overall balance.

 

Once the spam transaction is initiated, it includes your address as the sending address, which is why our indexing system detects it and sends you a notification indicating that you are technically sending funds. It is crucial to note that the value of these funds is zero. This situation can understandably create confusion, but we strive to maintain transparency regarding on-chain activity. Limiting notifications based solely on the zero value could lead to other unintended negative consequences.

 

What should I do to protect myself?

  • Exercise caution when utilizing any transaction list as a reference for addresses, as these spam transactions will appear in such lists.
  • Be vigilant when copying and pasting addresses from untrusted sources to avoid potential errors.
  • When verifying addresses, ensure you check the entire address rather than just the first few and last few digits.
  • Implement additional precautions when signing transactions. If you have a multisig wallet policy, make sure that each user conducts thorough checks on the address.
  • If you have any concerns about transactions from your wallet or would like to explore further options, please reach out to us via email at help@bitpandacustody.com.
  •  

Was this article helpful?
0 out of 0 found this helpful