In an effort to ensure Arculus users remain safe when transacting on the blockchain, we wanted to share details on a recent scam affecting the crypto community, called a "Zero Transfer Scam," similar to "address poisoning" scams. This scam is known to be targeting certain tokens on Ethereum Virtual Machine (EVM) chains.
In this attack, hackers are able to send transactions of 0 tokens from the victim’s wallet to an address that looks similar to one that the victim had previously sent tokens, usually starting and ending with the same characters found in the original sending address.
This is possible because of a flaw in the token's smart contract that allows attackers to send these zero-value transfers from wallets they don't control. This can cause users to accidentally send tokens to an attacker after cutting and pasting send addresses from a hijacked transaction.
Typically, an attacker would need a user’s private key in order to send a transaction from the victim’s wallet, but Etherscan’s “contract tab” feature discloses a loophole in some token contracts that can allow attackers to send a transaction from any wallet, as long as the value of the transaction is less than or equal to zero, without the need for the victim’s private key or any authorization.
According to Cointelegraph, Etherscan is working to mitigate the risk of this new scam and limit its effect on users. The block explorer program has started graying out zero-value token transactions that aren’t initiated by the user, and has begun flagging these transactions with an alert stating: “This is a zero-value token transfer initiated by another address.”
Something to be weary of: Some wallets may not show the spam transactions at all. This is something to take note of in wallets that store their own transaction history, opposed to pulling the data from the blockchain. Alternatively, if the wallet pulls data directly from the blockchain, victims may be able to see these spam transactions from the attacker in their wallet.
Arculus users who encounter this situation can rest assured that their private keys have not been compromised, and the crypto remaining in their wallet is still secure. They should remain vigilant and carefully confirm the full address to which they are sending their assets – not just the first and last few characters.
For further reading on zero-value transfer scams, check out these resources: