22 Dec 2022
Beware of the "SecurityUpdates" Bitcoin Scam
There has been a recent influx of scams in the Bitcoin community, with bad actors using various tactics to trick people into giving away their funds.
A scam that has gained attention lately is the "SecurityUpdates" contract, which lures victims to a fake mint site and empties their full account balance by calling an empty but payable function. This article will delve into the details of this scam and what to look out for.
How the Scam Works
The "SecurityUpdates" contract was deployed ten days ago by the user 0x5b. While the contract is verified, it is written in Solidity 0.4.26, an outdated programming language version. The contract contains four functions: getBalance(), getOwner(), SecurityUpdate(), and withdraw().
The getBalance() and getOwner() functions are unnecessary, as the owner is set in the constructor and never changed. However, the contract's primary purpose is the SecurityUpdate() function, which is payable and accepts Ether. This function is meant to trick people into thinking they are performing a security update for their wallet, possibly through a convincing front end and the registered name of the function in the MetaMask browser extension.
However, the contract is not being called from a front end with a convincing narrative. Instead, it is being called from a fake Cool Cats minting site. Alternatively, the scammers could have used the Monkey Drainer attack (which involves a higher payoff but more effort) or a simple transfer (which involves the same payoff but less effort).
The most amusing aspect of this scam is that the scammers have been confused about how to get funds into the contract to test withdrawals. They tried and failed four times to transfer funds to the contract directly before realizing they needed to call the SecurityUpdate() function.
Technical Details
One of the questionable decisions made by the deployer of the "SecurityUpdates" contract was using Solidity 0.4.26. This version is outdated, as the latest version is 0.8.18. Upgrading the contract would break the withdraw() function, but changing the "msg.sender" to "payable(msg.sender)" would fix the issue.
Another issue with the contract is that the SecurityUpdate() function contains no logic, making it an easy target for scams. This function is payable, which means that it can accept Ether. The scammers' goal is to manipulate people into thinking they are performing a security update for their wallet, possibly through a convincing frontend and the registered name of the function in MetaMask.
The "SecurityUpdates" contract scam is a clear example of the dangers of trusting untrustworthy sources in the Bitcoin community. It is essential to be vigilant and do your research before interacting with any contracts or websites. Make sure to verify the source's reputation and the contract's technical details before proceeding. Following these precautions can protect you from falling victim to similar scams.
Disclaimer: Nothing on this site should be construed as a financial investment recommendation. It’s important to understand that investing is a high-risk activity. Investments expose money to potential loss.