background
In the previous issue of Web3 Security Beginner's Guide to Avoiding Pitfalls, we mainly explained the relevant knowledge of multi-signature phishing, including the multi-signature mechanism, the causes of multi-signature, and how to avoid malicious multi-signatures in wallets. In this issue, we will explain a marketing method that is considered effective in both traditional industries and the encryption field - airdrops.
Airdrops can bring projects from obscurity to the public eye in a short period of time, quickly accumulate a user base, and enhance market influence. When users participate in Web3 projects, they need to click on relevant links and interact with the project parties to obtain airdrop tokens. However, from high-copy websites to tools with backdoors, hackers have already set traps upstream and downstream of the user's airdrop process. Therefore, in this issue, we will analyze some typical airdrop scams to explain the related risks and help everyone avoid pitfalls.
What is an Airdrop
In order to increase the popularity of the project and accumulate initial users, Web3 project owners often distribute tokens to specific wallet addresses for free. This behavior is called "airdrop". For project owners, this is the most direct way to acquire users. Based on the method of obtaining airdrops, airdrops can usually be divided into the following categories:
Task-based: Complete tasks assigned by the project party, such as forwarding, liking, etc.
Interactive: complete operations such as token exchange, token sending/receiving, and cross-chain operations.
Holding type: Hold the tokens designated by the project party to obtain airdrop tokens.
Staking: Get airdropped tokens by staking single or dual currencies, providing liquidity, or locking up for a long time.
Risks of receiving an airdrop
Fake Airdrop Scam
These scams can be broken down into the following categories:
1. Hackers steal the official account of the project party and publish fake airdrop news. We often see security reminders on information platforms that "X account or Discord account of a certain project has been hacked, please do not click on the phishing links released by hackers." According to the data of SlowMist's blockchain security and anti-money laundering report in the first half of 2024, there were 27 hacking incidents of project party accounts in the first half of 2024 alone. Users click on these links based on their trust in the official account, and are then directed to phishing websites disguised as airdrops. Once the private key/mnemonic phrase is entered on the phishing website or the relevant permissions are authorized, hackers can steal the user's assets.
2. Hackers use highly imitated project accounts to post messages in the comment section of the project's official real account, post messages about receiving airdrops, and induce users to click on phishing links. The SlowMist security team has previously analyzed this type of tactics and put forward countermeasures, see True and false project parties | Beware of highly imitated phishing accounts in the comment section; in addition, after the real project party releases the airdrop message, hackers will follow closely and use highly imitated accounts to post a large number of dynamics containing phishing links on social platforms. Many users install fake apps or open phishing websites to sign and authorize because they do not carefully identify them.
3. The third scam is even more abominable. They are scammers who lurk in the groups of Web3 projects and select target users for social engineering attacks. Sometimes they use airdrops as bait to "teach" users to transfer tokens as required to obtain airdrops. Please be vigilant and do not easily believe the "official customer service" who actively contacts you or "teaches" you how to operate. These people are most likely scammers. You just want to get an airdrop, but end up suffering heavy losses.
“Free” airdrop tokens
As mentioned at the beginning, users often need to complete certain tasks to obtain airdrops. Next, let's look at the situation of "giving away" tokens to users for free. Hackers will airdrop tokens with no actual value to the user's wallet. When users see these tokens, they may try to interact with them, such as transferring, viewing, or trading on decentralized exchanges. However, when we reverse-analyzed a Scam NFT smart contract, we found that when trying to place an order or transfer this Scam NFT, it would fail, and then an error message "Visit website to unlock your item" would appear, inducing users to visit the phishing website.
If a user visits a phishing website guided by Scam NFT, the hacker may do the following:
Bulk "zero-dollar purchases" of valuable NFTs, see "zero-dollar purchases" NFT phishing analysis
Take away the Approve authorization or Permit signature of the high-value Token
Take away the native assets
Next, let’s take a look at how hackers steal users’ Gas fees through a carefully designed malicious contract.
First, the hacker created a malicious contract called GPT (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) on BSC, attracting users to interact by airdropping tokens.
When the user interacts with the malicious contract, a request to approve the contract to use the tokens in the wallet appears. If the user approves this request, the malicious contract will automatically increase the gas limit based on the balance in the user's wallet, causing subsequent transactions to consume more gas fees.
Using the high gas limit provided by the user, the malicious contract uses the excess gas to mint CHI tokens (CHI tokens can be used for gas compensation). After the malicious contract accumulates a large number of CHI tokens, the hacker can burn CHI tokens and obtain gas compensation returned when the contract is destroyed.
In this way, hackers cleverly use users’ gas fees to profit for themselves, and users may not realize that they have paid additional gas fees. Users thought they could make a profit by selling airdropped tokens, but ended up having their native assets stolen.
Tools with backdoors
During the airdrop process, some users need to download plugins such as translation or token rarity query. The security of these plugins is questionable, and some users do not download the plugins from official channels, which greatly increases the possibility of downloading plugins with backdoors.
In addition, we also noticed that there are services selling airdrop scripts online, claiming that they can complete automatic batch interactions by running scripts, which sounds very efficient, but please note that downloading unreviewed and unverified scripts is extremely risky because you cannot determine the source of the script and its true function. The script may contain malicious code, and potential threats include stealing private keys/mnemonics or performing other unauthorized operations. Moreover, some users did not install or turned off antivirus software when performing related risky operations, resulting in failure to promptly discover that the device was infected with a Trojan, which led to damage.
Summarize
In this guide, we mainly explain the risks of airdropping by analyzing scams. Now many projects use airdrops as a marketing tool. Users can reduce the possibility of asset loss during airdrops by taking the following measures:
Multi-party verification: When visiting the airdrop website, please check the URL carefully. You can confirm it through the project's official account or announcement channel. You can also install a phishing risk blocking plug-in (such as Scam Sniffer) to help identify phishing websites.
Wallets are classified into different levels. Small amounts of funds are stored in wallets used to receive airdrops, while large amounts of funds are placed in cold wallets.
Be cautious about airdrop tokens received from unknown sources and do not perform authorization/signature operations lightly.
Be careful to check if the gas limit of the transaction is abnormally high.
Use well-known antivirus software, such as Kaspersky, AVG, etc., keep real-time protection turned on, and update the latest virus database at any time.
