See More

Gas Token Scam: Exploiting Binance Smart Chain’s Refund Feature

2 mins
Updated by Ryan James
Join our Trading Community on Telegram

In Brief

  • In the wake of the $126 million Multichain bridge hack, wallet owners have been urged to revoke associated contracts.
  • But unfortunately, malicious actors are taking advantage of the wave of revocations to run gas token scams.
  • Currently, only Binance Smart Chain is confirmed to have been targeted, but other Ethereum-modelled blockchains could also be vulnerable.
  • promo

Security researchers have identified a gas token scam targeting users of Binance Smart Chain (BSC).

The attack vector takes advantage of so-called gas tokens intended to help users save on gas fees.  Although not the first time it has been observed, the attack has reemerged in response to the recent Multichain exploit.

Hackers Take Advantage of Users Revoking Multichain Approvals

The latest gas token scam appears to have arisen in response to various security tools prompting their users to revoke any unsolicited transactions. These prompts were issued in response to the recent Multichain bridge attack that stole around $126 million in crypto assets.

After news broke that Multichain’s Fantom bridge had been compromised, Multichain urged users to revoke all contract approvals related to the cross-chain bridging protocol.

Following the announcement, security tool developers moved quickly to minimize their users’ exposure to risk. For example, the browser extension Revoke Cash recommended users revoke all Multichain approvals, as did the Rabby crypto wallet.

Revoke Alerts Users to Multichain Hack (Source: Twitter)
Revoke Alerts Users to Multichain Hack (Source: Twitter)

While developers issued such warnings to help protect users from potential threats, at least one hacker has taken advantage of the wave of revocations. 

As the twitter user blanker.Eth first identified the scammer deployed a fake ERC-20 token on BSC that steals funds when users revoke the contract.

By using a fake contract, the scam minted CHI in victims’ wallets before transferring it to another address. But what exactly is CHI? And how was it used to bypass wallet defenses and steal crypto?

Gas Tokens Used to Siphon Funds

Developed by the team behind the 1inch DeFi protocol, CHI is what is known as a gas token. 

The concept was originally developed to help Ethereum users lock in low gas prices to use later when they rose. Such tokens used a feature built into Ethereum that refunded gas fees when clearing storage. That is until a 2021 update made gas tokens redundant on the Ethereum mainnet by voiding the refund feature they exploited. 

However, certain blockchains, including BSC, still implement the protocols deployed gas tokens. What’s more, other Ethereum-based blockchains could also be vulnerable to the attack. Although there is no evidence to suggest they are currently being exploited in this way. 

Unfortunately, for BSC, the weakness appears to be a recurring issue. For example, BlockSec identified a similar scam back in January. And as long as the refund mechanism that gas tokens use remains in play, malicious actors will likely continue to exploit them.

Security Tools Respond to Gas Token Attack

After they were alerted to the latest threat, the developers behind Revoke Cash and Rabby moved quickly to respond.

Revoke Cash added a feature that disables revoking approvals if gas fees exceed a certain threshold. Rabby has implemented similar precautions.

Top crypto platforms in the US | March 2024

Trusted

Disclaimer

All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.

Frame-1944.png
James Morales
James is a London-based editor, writer and explorer of the cryptosphere who started his journalistic career writing about digital art before honing his craft as a financial technology reporter. From the latest innovation in digital assets to the evolution of Web3, he is perpetually fascinated by the technologies of decentralization.
READ FULL BIO
Sponsored
Sponsored