Recently, an emerging scam on the Tron blockchain has come to our attention, following numerous reports from our customers. Over $3 million has already been lost, though the true extent of the losses is still unknown. The lack of awareness and communication surrounding this issue has prompted us to conduct a thorough analysis to understand its mechanics and impact.

Our investigation revealed a vulnerability in the Fireblocks platform that exposes it to this type of scam. We hope Fireblocks to take immediate action to address this issue based on our findings.

Nonetheless, whether you are an exchange or a wallet solution provider, we hope the prevention methods outlined in this post will help you better protect your digital assets in the future.

Overview

The scam begins with the perpetrator initiating a fraudulent TRX transfer to a centralized exchange account’s deposit address. Since nothing unusual is detected by the wallet infrastructure supporting the exchange, the transaction is recorded in the wallet platform.

Consequently, a transaction notification is sent to the exchange platform, and the perpetrator’s account balance is updated accordingly. As soon as the balance is reflected in their account, the perpetrator swiftly sells the TRX and converts it into cash.

This rapid conversion process allows the perpetrator to capitalize on the fraudulent transaction before any discrepancies are detected, effectively bypassing the exchange's security measures and making off with the stolen funds.

Breaking Down the Scam

Let’s dive deeper into how it works exactly, on the technical side, based on a live example.

The scam begins with the perpetrator using three addresses, including two smart contracts, to execute the fraud. The details of the addresses involved are as follows:

Perpetrator’s address - TTykh5xx1MkENDm698PrYm5fEY74Mou2di

Smart contract A - TNjKZbddpMZ6sHV8MJQ9u4bt943a7Z9R4T

Smart contract B - TVWbr2QKpEFHjLcczGNcAhhu5QgioFUKmB

Victim’s address - TVWbr2QKpEFHjLcczGNcAhhu5QgioFUKmB

The perpetrator mass-triggers smart contract A to make multiple transfers via proxy smart contract B to various addresses, including the victim's address. Smart contract A is programmed to interact with smart contract B to initiate these transfers as internal transactions. This sophisticated programming technique is crucial in making the fraudulent transactions appear legitimate.

On a blockchain explorer, the transaction seems normal, as shown in the screenshot below.

But if we dive deeper into the internal transaction of smart contract B, you will find that the transfer to TVWbr2QKpEFHjLcczGNcAhhu5QgioFUKmB failed.

By using these two smart contracts, the perpetrator effectively conceals the failed internal transaction, making all transfers appear legitimate on the surface. This method allows them to exploit the system without raising immediate suspicions.

Who was Affected by the Scam?

To the best of our knowledge, we have only noticed a single successful instance of this scam. However, further analysis of the dubious smart contracts in question revealed that the perpetrators initiated hundreds of these fake transactions, potentially defrauding exchanges of more than $3 million USD worth of TRX.

A point of concern to note: the vulnerability exploited by this scam, while not entirely new, remains unaddressed in the platform of most wallet solution providers, including major players like Fireblocks.

We hope that this incident will serve as a clarion call for both wallet providers and companies who build their own wallet platforms to close this loophole before it is too late.

Avoiding the Scam

To avoid being scammed, it's crucial for wallet services to thoroughly capture and verify blockchain transactions. This process typically involves using self-hosted nodes and undergoing ‘block scanning’ to identify transactions relevant to the wallet-generated addresses. Ensuring data integrity is key, which includes verifying details such as the receiving address, contract address, and the number of confirmation blocks. Once verified, the wallet service should send a callback notification to the user’s platform, allowing end users, like those on exchanges, to see their updated account balance.

Below is a sample data string showing how a successful transaction looks like.

{
  "id": "425696d083b9e5c3e91e82baa2756ef5d8109f05cb7d79a81c167e6fbb28ba4d",
  "fee": 4025540,
  "blockNumber": 62950602,
  "blockTimeStamp": 1719496470000,
  "contractResult": [""],
  "contract_address": "TNjKZbddpMZ6sHV8MJQ9u4bt943a7Z9R4T",
  "receipt": {
    "energy_fee": 3711540,
    "energy_usage_total": 8837,
    "net_fee": 314000,
    "result": "SUCCESS"
  },

  "internal_transactions": [
    {
      "hash": "295d977e732f676b8d3f47f178d68fb2c0b99559ef8d78e218b569338ef96a92",
      "caller_address": "TNjKZbddpMZ6sHV8MJQ9u4bt943a7Z9R4T",
      "transferTo_address": "TWPQ2Bew5nFP1TPtyH6gjJBP8ETAjDKtGM",
      "callValueInfo": [{}],
      "note": "63616c6c"
    },
    {
      "hash": "572a5693abade15949d13d682c089ed7adab38290273c8173b02e843addbbede",
      "caller_address": "TWPQ2Bew5nFP1TPtyH6gjJBP8ETAjDKtGM",
      "transferTo_address": "TTykh5xx1MkENDm698PrYm5fEY74Mou2di",
      "callValueInfo": [
        {
          "callValue": 143000000010
        }
      ],
      "note": "63616c6c"
    }
  ]
}

Compare it to the fraudulent transaction data of 143,000 TRX to address TVWbr2QKpEFHjLcczGNcAhhu5QgioFUKmB:

{
  "id": "4aadc66568c51683e5c319ab6bfa5a4ba01a1185d1e6de04e060e32b6b53c550",
  "fee": 16850960,
  "blockNumber": 62889998,
  "blockTimeStamp": 1719314604000,
  "contractResult": [""],
  "contract_address": "TNjKZbddpMZ6sHV8MJQ9u4bt943a7Z9R4T",
  "receipt": {
    "energy_fee": 16374960,
    "energy_usage_total": 38988,
    "net_fee": 476000,
    "result": "SUCCESS"
  },
  "log": [
    {
      "address": "TNjKZbddpMZ6sHV8MJQ9u4bt943a7Z9R4T",
      "topics": [
        "ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef",
        "000000000000000000000000dff5b281e97664d17b0f6ddea65da74677013d65",
        "000000000000000000000000d65a5aa79368637f7c5ab13a8bb83ac5047d4818"
      ],
      "data": "000000000000000000000000000000000000000000000000000000214b76d600"
    }
  ],
  "internal_transactions": [
    {
      "hash": "bfa1729abd67034c4634bb7bb9d21e4b0a3865f2f7e5fbd6e71445cde8276eda",
      "caller_address": "TNjKZbddpMZ6sHV8MJQ9u4bt943a7Z9R4T",
      "transferTo_address": "TWPQ2Bew5nFP1TPtyH6gjJBP8ETAjDKtGM",
      "callValueInfo": [{}],
      "note": "63616c6c",
      "rejected": true
    },
    {
      "hash": "c1488d45978d81bcdadae088581f2bfeb85add3ccafa352a34bac531211da20e",
      "caller_address": "TWPQ2Bew5nFP1TPtyH6gjJBP8ETAjDKtGM",
      "transferTo_address": "TVWbr2QKpEFHjLcczGNcAhhu5QgioFUKmB",
      "callValueInfo": [
        {
          "callValue": 143000000000
        }
      ],
      "note": "63616c6c",
      "rejected": true
    }
  ]
}

You’ll notice an extra - "rejected": true - parameter deep within the data: the only difference between a legit transaction and a fraudulent one.

Therefore, wallet services should not only parse the main transaction data but also delve deeply into internal transactions, especially those involving smart contracts. By meticulously analyzing these internal details, wallet providers can better detect and prevent fraudulent activities, thereby enhancing the overall security of the platform.

Final thoughts

It's important to recognize that there are numerous ways for perpetrators to steal funds beyond simply accessing private keys. They continuously devise innovative and unexpected methods, such as the recent WazirX and Lmnl case, which involved over $230 million. This raises the question of whether wallet providers are overly focused on encryption technologies and algorithms, potentially at the expense of more practical security measures.

It’s also crucial for industry players to keep each other informed about emerging threats. Despite the seriousness of this fraud tactic, we found no announcements or news addressing it. Nonetheless, we trust that the solution provider has informed all their existing clients about this vulnerability to prevent further incidents. Transparency and proactive communication are essential in safeguarding the integrity of the digital asset ecosystem.

At CoinsDo, we are committed to elevating security standards, not just for our products, but for the entire digital asset industry. By fostering a culture of openness and vigilance, we can collectively enhance the security and trustworthiness of our ecosystem.