Beware of a New Scam: Fake [Cancel Authorization]

Recently, attackers have been exploiting the authorization panic caused by the Multichain incident to forge authorizations, enticing users to cancel the authorizations appearing in their wallets, resulting in significant gas consumption and financial loss.

Here is how the attack works:

An attacker deployed a fake ERC-20 Token on the BSC public chain. The attacker forged authorization to the address on the chain by modifying theapprove() , triggering security tools to display a [Cancel Authorization] prompt to users. Theapprove() in the ERC-20 Token will consume a large amount of gas, allowing users to mint CHI Token (that is, Gas Token, which can be destroyed to obtain Gas Refund) to the contract deployer, and the user's wallet will be transferred to the high gas fee.

When the user clicks [Cancel Authorization], the transaction and minted CHI Token will be automatically sent to the wallet of the contract deployer. As of July 11, the attackers have obtained more than 200,000 CHI Tokens, worth about $1,800, through fraudulent authorization methods.

Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) would like to remind its users:

If you see a project contract that you have not authorized in the security detection tool, and a reminder to cancel the authorization appears, please do not click [Cancel Authorization]. Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) currently uses an authorization detection tool provided by DeBank, which has intercepted and filtered forged authorization. If you still encounter abnormal [Cancel Authorization] labels, it may be due to the delay in token detection and labeling. It is recommended to refresh the page several times before verifying.

In addition to the above-mentioned new scams of forged authorization, there are more common authorization-related risks in the cryptocurrency community. It is recommended that you improve your awareness of related prevention through the following content.

What is token or DApp contract authorization?

In the field of cryptocurrency, most projects are deployed on blockchain networks, and many interactive operations require users to authorize DApps or platforms to access their crypto wallets and grant certain permissions. Authorization means allowing a contract address to withdraw the user's tokens. Users need to authorize their wallets so that the DApp can read and operate their digital assets. Authorization can be one-time or persistent, and the DApp's access rights can be restricted or completely allowed.

For example, when you want to sell ETH tokens on a DEX platform, you need to approve() the smart contract of that DEX to access the permissions of your ETH tokens in your wallet. Only then can you swap ETH for other tokens through transactions. In the authorization detection tool of your wallet, you can see the record of this authorization.

In order to improve the user experience and reduce the number of authorizations, some DApps will require unlimited authorization. This means that the smart contract has unrestricted transfer permissions for a specific cryptocurrency in your wallet, but this is actually a highly risky operation. If the deployer of the DApp contract acts maliciously, they could potentially transfer your entire balance of that cryptocurrency from your wallet, resulting in the loss of your assets.

How to Guard Against Authorization Risks

Do not authorize token permissions on DApp platforms that you are unfamiliar with. Some platforms may transfer users' tokens in small amounts or in full within a few hours after authorization.

Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) provides users with a convenient [Security Detection] tool through DeBank, and users can regularly perform detection and cancel authorization in the wallet. Despite your familiarity and understanding of a DApp platform, there is still a possibility of attackers exploiting vulnerabilities. To ensure the utmost security of the tokens in your wallet, regularly clearing authorizations can effectively prevent the risk of theft.

Follow Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) to stay up-to-date with all of our latest events, findings, and promotions, and let Bitget Wallet (Previously Bitget Wallet (Previously BitKeep)) be your premier gateway into the Web3 space.

For more information, visit: Website | Twitter | Telegram | LinkedIn | Discord

For media inquiries, please contact: [email protected]

For business inquiries, please contact: [email protected]