Introduction
After a victim lost 1576 ETH and didn’t take any action, another 158 ETH was stolen again.
With this case, you will learn why timely approval revocation is crucial after falling victim to phishing.
Stolen Case
Approximately 12 hours ago, a victim had $4 million worth of Aave ETH stolen due to a phishing approval.
This has led to the liquidation of their collateral by a bot. After the liquidation, their Aave ETH increased. this means that if the victim does not revoke the malicious approval in time, there is still a 10% risk of theft from the existing balance.
Upon discovering this, we synchronized this situation with SlowMist, Etherscan, ZachXBT, SunSec, samczsun, h3idilao to maximize efforts to locate the victim.
We also sent on-chain messages to remind the victim to timely revoke the malicious approval.
After learning about this situation, Etherscan added a reminder for the victim to take action to revoke the approval.
SlowMist found several potential Twitter and ENS related to the victim.
Furthermore, since the temporary spender 0x226539793536bcee7f8992d0ff67bb37905be0a1
was generated by create2, and the increase in balance after liquidation did not result in another theft, we are not sure whether this contract has reserved logic for asset transfer.
To verify this, the SlowMist team analyzed the contract and found that the contract reserved multicall
and only 0x0000db5c8b030ae20308ac975898e09741e70000
can be called, which means that the risk of theft still exists.
Subsequently, ScamSniffer attempted to execute a simulated transaction based on the construction, and it turned out that 107 ETH could still be transferred.
Unfortunately, the victim did not take any action for a long time. The drainer eventually discovered this situation and transferred 95 ETH that could be transferred.
This operation also led to subsequent liquidation, resulting in another 158 ETH being stolen once again.
And all of this could have been prevented by timely revocation of approval after being stolen.
The wallet drainer associated with this has already drained nearly $100m so far in the past 10 months
Finally, thanks to Etherscan, SlowMist, Etherscan, ZachXBT, SunSec, samczsun, and h3idilao for their participation and assistance. although our rescue failed.