Background

In the previous issue of Web3 Security Guide, we mainly explained the relevant knowledge of multi-signature phishing, including the multi-signature mechanism, the causes of multi-signature, and how to avoid malicious multi-signatures in wallets. In this issue, we will explain a kind of marketing method that is regarded as effective in both traditional industries and encryption fields - airdrops.

Airdrops can push projects from obscurity to the public in a short period of time, quickly accumulate user bases, and enhance market influence. When users participate in Web3 projects, they need to click on relevant links and interact with project parties to obtain airdrop tokens. However, from high-imitation websites to tools with backdoors, hackers have already set traps upstream and downstream of users' airdrop process. Therefore, in this issue, we will explain the relevant risks by analyzing some typical airdrop scams to help everyone avoid pitfalls.

What is an airdrop?

In order to increase the popularity of the project and accumulate initial users, Web3 project owners often distribute tokens to specific wallet addresses for free. This behavior is called "airdrop". For project owners, this is the most direct way to obtain users. According to the method of obtaining airdrops, airdrops can usually be divided into the following categories:

• Task-based: Complete tasks specified by the project owner, such as forwarding, liking, etc.

• Interactive: Complete operations such as exchanging tokens, sending/receiving tokens, and cross-chain.

• Holding: Hold the tokens specified by the project owner to obtain airdrop tokens.

• Pledge type: Get airdrop tokens by staking single or dual currencies, providing liquidity or long-term lock-up.

Risks when claiming airdrops

Fake airdrop scams

This type of scam can be further divided into the following categories:

1. Hackers steal the official account of the project party to publish fake airdrop news. We often see security reminders on information platforms that "X account or Discord account of a certain project has been hacked, please do not click on the phishing link released by hackers." According to the data of SlowMist's blockchain security and anti-money laundering report in the first half of 2024, there were 27 hacking incidents of project party accounts in the first half of 2024 alone. Users click on these links based on their trust in the official account, and are then directed to phishing websites disguised as airdrops. Once the private key/mnemonic phrase is entered or the relevant permissions are authorized on the phishing website, hackers can steal the user's assets.

2. Hackers use highly imitated project party accounts to post messages in the comment area of ​​the project party's official real account, publish messages to receive airdrops, and induce users to click on phishing links. Previously, the SlowMist Security Team analyzed this type of method and put forward countermeasures. See True and False Project Party | Beware of High Imitation Account Phishing in the Comment Area; In addition, after the real project party releases the airdrop message, hackers will follow closely and use high imitation accounts on social platforms to post a large number of dynamics containing phishing links. Many users installed fake APPs or opened phishing websites to sign and authorize operations because they did not carefully identify them.

(https://x.com/im23pds/status/1765577919819362702)

3. The third scam is even more abominable. They are scammers. They lurk in the groups of Web3 projects and select target users for social engineering attacks. Sometimes they use airdrops as bait to "teach" users to transfer tokens as required to obtain airdrops. Please be vigilant and do not easily believe the "official customer service" who actively contacts you or the netizens who "teach" you how to operate. These people are most likely scammers. You just want to get an airdrop, but you end up suffering heavy losses.

“Free” airdrop tokens

As mentioned at the beginning, users often need to complete certain tasks to obtain airdrops. Let’s take a look at the situation of “free” user tokens. Hackers will airdrop tokens with no actual value to users’ wallets. When users see these tokens, they may try to interact with them, such as transferring, viewing, or trading on decentralized exchanges. However, when we reverse-analyzed a Scam NFT’s smart contract, we found that when we tried to place an order or transfer this Scam NFT, it would fail, and then an error message “Visit website to unlock your item” would appear, inducing users to visit the phishing website.

If the user visits the phishing website guided by Scam NFT, the hacker may perform the following operations:

• Bulk "zero-yuan purchase" of valuable NFTs, see "zero-yuan purchase" NFT phishing analysis

• Take away the Approve authorization or Permit signature of high-value Tokens

• Take away native assets

Next, let's take a look at how hackers steal users' Gas fees through a carefully designed malicious contract.

First, the hacker created a malicious contract called GPT (0x513C285CD76884acC377a63DC63A4e83D7D21fb5) on BSC, and attracted users to interact by airdropping tokens.

When the user interacted with the malicious contract, a request to approve the contract to use the tokens in the wallet appeared. If the user approved this request, the malicious contract would automatically increase the Gas limit based on the balance in the user's wallet, which would cause subsequent transactions to consume more Gas fees.

Using the high Gas limit provided by the user, the malicious contract used the excess Gas to mint CHI tokens (CHI tokens can be used for Gas compensation). After the malicious contract has accumulated a large amount of CHI tokens, the hacker can burn CHI tokens to obtain Gas compensation returned when the contract is destroyed.

(https://x.com/SlowMist_Team/status/1640614440294035456)

In this way, hackers cleverly use users' Gas fees to profit for themselves, and users may not realize that they have paid additional Gas fees. Users thought they could make a profit by selling airdropped tokens, but their native assets were stolen.

Tools with backdoors

 (https://x.com/evilcos/status/1593525621992599552)

During the airdrop process, some users need to download plug-ins such as translation or query token rarity. The security of these plug-ins is questionable, and some users do not download them from official channels, which greatly increases the possibility of downloading plug-ins with backdoors.

In addition, we also noticed that there are services selling airdrop scripts online, claiming that they can complete automatic batch interactions by running scripts, which sounds very efficient, but please note that downloading unreviewed and unverified scripts is extremely risky because you cannot determine the source of the script and its true function. The script may contain malicious code, and potential threats include stealing private keys/mnemonics or performing other unauthorized operations. Moreover, some users did not install or turned off antivirus software when performing related risky operations, resulting in failure to promptly discover that the device was infected with a Trojan horse, which led to damage.

Summary

In this guide, we mainly explain the risks of airdrops by analyzing scams. Now many projects use airdrops as a marketing tool. Users can reduce the possibility of asset damage during airdrops by taking the following measures:

• Multi-party verification. When visiting the airdrop website, please check the URL carefully. You can confirm it through the project's official account or announcement channel. You can also install phishing risk blocking plug-ins (such as Scam Sniffer) to help identify phishing websites.

• Wallet classification. The wallet used to receive airdrops stores small amounts of funds, and large amounts of funds are placed in cold wallets.

• Be vigilant about airdrop tokens received from unknown sources, and do not perform authorization/signature operations lightly.

• Pay attention to check whether the gas limit of the transaction is abnormally high.

• Use well-known antivirus software, such as Kaspersky, AVG, etc., keep real-time protection turned on, and keep the latest virus database updated.