At MetaMask, we work continuously to keep abreast of the latest security issues our users face and release features and resources to help users out whenever possible.
One of our latest investigations involves a scam that uses the promise of “mining” rewards to lure you into depositing tokens on the platform. At first, your balance on the platform appears to grow through these rewards. This is just a ruse: the balance these dapps display is false, and the scammers have been draining your wallet whilst deceiving you into believing that your balance was actually growing. We recently shared a Twitter thread covering token approval scams, which will give you a high-level overview; in this article, we’re going to look a bit deeper and focus on a specific variant.
Scammers attempting to rob unsuspecting Web3 users by taking advantage of token approvals is nothing new. In fact, this is probably one of the most common ways that users are caught out. Before we discuss the specifics, let’s recap how this key mechanism works.
On the front lines: token allowances/approvals
When you connect to a dapp, two things occur:
The dapp requests permission to view your wallet. Most of the time, this is essentially harmless: although this means the dapp can see your balance, it can’t use this permission to actually do anything with the contents of your wallet.
The dapp will request approval for its smart contract to access the tokens in your wallet. This is where a lot of scams find their way in, and in this case, involves asking for approval to have spending access to USDT. In itself, this is all well and good: the dapp can only access your funds with your permission. The trouble arises when they request access to astronomically high quantities of tokens. These numbers are often so high that there is effectively no limit on how many of those tokens the dapp’s smart contract can move out of your wallet. Many trustworthy dapps do this to maximise convenience and to prevent you from paying for gas every time you approve access, but, unfortunately, unlimited approvals also open up the door to bad actors.
The perpetrators of the “mining” scam leverage this second approval: when you log in, they count on you granting access to all of your tokens. As a user, this is a very easy mistake to make, especially if you’re relatively new to Web3.
Most people are in a habit of just approving whatever requests appear in MetaMask without really interrogating what they’re asking for. Building the habit of drilling down into the specifics is both time-consuming and presents something of a knowledge barrier: how many of us can honestly say we are knowledgeable in the ins and outs of Ethereum token standards and their functions?
Additionally, newcomers to Web3 can struggle to adjust to an environment in which there are no longer regulated, centralised apps that they trust – although, naturally, the level of trust people have in web2 organisations varies significantly – to act in good faith. In this context, it pays to develop a healthy scepticism towards any platform you interact with. A flashy, well-designed UI and a dapp’s assurances of legitimacy are not sufficient grounds for trust.
To read more on token approvals, see our blog post or check out our support articles on how to manage them and how to adjust approvals by specifying a custom spend limit.
The “mining” scam: what we know
During our investigations, we’ve identified a number of domains (dapps) perpetrating the scam, and have reviewed transactions to calculate some key figures. To date, we’ve tracked just under $60 million in stolen funds from over 6,000 unique addresses, with victims having lost anything from less than a cent to – in the most serious cases – over $3.5 million. The average stolen amount is a little over $10,000. The figures and our sources are available on our Dune dashboard, built by resident security guru Harry Denley using data on the blockchain located through MetaMask Support cases.
The exact format of each site varies – for example, the login method, the tokens involved, and the pretence for having you login in the first place can all vary. However, in general, the dapps request access to ERC-20 USDT (Tether) tokens, and generally refer to the process that generates your yields (which, of course, do not actually exist) as “mining”.
Here’s an example of how these platforms can look. Notice how it poses as a site affiliated to Uniswap to (somewhat clumsily) elicit trust:
How does the scam work?
The scam is essentially the all-too-common unlimited token approval attack vector but with extra steps:
The dapp will attract the user’s attention through the promise of a very high APY (annual percentage yield) for depositing tokens on its platform. The token is typically USDT on Ethereum Mainnet, but we’ve also encountered cases on Tron.
The platform requests the user purchase a “mining voucher” to get access to the proceeds.
The user will then receive a request to approve access to their tokens to buy the voucher. This is the linchpin of the scam, and the method through which their wallet is subsequently drained. As soon as the dapp has access to the funds, it calls the transferFrom function (a standard ERC-20 function), which does what it says on the tin, and pulls the tokens straight out into another wallet.
The deception begins. Although the dapp has already stolen all the tokens it can, the user will still see their balance when they log in, reflecting their deposit. It may even be higher, reflecting the APY rewards that were spuriously promised. Spoiler: it’s false.
Users will receive requests to transfer more of the token into their wallet to keep on earning the high APY. Naturally, there’s something of a revolving door here: the tokens are removed as quickly as they are added. All the while, the balance on the platform is increased to reflect the transfer and maintain the scam.
How can I stop myself from becoming a victim?
The good news is that by reading this article, and simply becoming aware of this attack vector, you’re considerably safer than you were previously – provided you stay wary of every single dapp you connect to.
To summarise, though, here are a few key principles to keep in mind:
Always check what a dapp is actually requesting before clicking ‘approve’. In MetaMask, you can also adjust the amount that the dapp has access to. Even if you only provide access to 10% of your tokens, and the dapp turns out to be a scam, that’s still a considerably better outcome than if you’d granted unlimited access.
DYOR. The best time to get in the habit of performing due diligence on any dapp before interacting with it was six months ago; the second best time is today. Look out for misspellings, low-quality images/logos, and other giveaways.
Remember that if something seems too good to be true, it probably is. If you’re being offered 498,563% APY, you’re probably on thin ice.
Additionally, you might consider holding smaller sums in your software wallet (one that’s connected to the internet, such as MetaMask) whilst keeping the bulk of your tokens in a hardware wallet. For example, some recommend the rule of thumb that you should only keep a value in your software wallet that you’d be happy to carry around in your physical wallet.