The sweeping robots of Ethereum are raging.This article understands three solutions.

Note: Have you ever encountered such a situation, when you send an Ethereum fund, and then found that the money in the wallet was emptied immediately, you may be targeted by the sweeper, this article aims to help You solve this problem, the original author is MyCrypto Security & Anti-Phishing Engineer Harry Denley.

When your secret is compromised, a malicious party will usually set up a sweeper on your account to take advantage of anything that happens to that address in the future, like when a user deposits ETH to try and withdraw some tokens, When an airdrop or other situation occurs.

This article outlines how user funds are swept away, and three unique ways to salvage any funds that are not swept (e.g. staked funds).

Recently, we have seen a large number of users pretending to be Telegram group admins, these fake admins will help users who ask for help in the main channel (although they are not real admins, they copy the admin profile information, but username with some minor differences). These impostors often speak a lot of jargon to confuse users and share a link to a website that appears to be legitimate, but it ends up asking you to enter a seed phrase or private key.

Then, your crypto assets are gone, with a sweeper on them.

Ethereum network gas fee has dropped to 4 gwei: According to news on August 6, according to Etherscan data, the current Ethereum network gas fee has dropped to 4 gwei. [2022/8/6 12:06:32]

Here's an example of one of these fake sites:

A sweeper is some code that monitors a blockchain (including txpool, which is technically not on-chain) and reacts programmatically to signing a specific transaction with a set of rules faster than a human can.

This means that the sweeper is invisible to the UI where you view your address on a blockchain explorer or "connect" it to a dapp. Only after you sign and broadcast the transaction to the network, the sweeper (sweeper) can see your activity.

Over time, we have seen the evolution of sweepers and the campaigns that exploit them.

During 2017, there was a fair amount of activity utilizing tokens that had a lock feature (i.e. you couldn't successfully call transfer() ) but included price feeds. Dave Appleton published an article about these activities.

The way a malicious party exploits this scam is that they will post the private key to this address (in some seemingly innocent or wrong way) and wait for people to deposit ETH into the address (to transfer the tokens in the address) . The malicious party would then have a sweeper program for that account to quickly transfer the ETH deposited to that address to his own account. Locked tokens are theoretically considered worthless, so they try to extract profits from unsuspecting "greedy" users.

Data: Nearly $1 billion in on-chain lending and liquidation quotas exist in the range of $1100 to $1250 in Ethereum Liquidation quota, the quota is mainly composed of Maker, Aave and Compound, of which the liquidation quota of 450 million US dollars is concentrated around 1185 US dollars. [2022/6/13 4:21:55]

Today, leaked addresses are basically deployed with ETH scrubber programs, and some organizations use more advanced scrubber program logic to clean ERC20 tokens based on price feeds.

Earlier this year, I did some reconnaissance research on a leaked address and found that the sweeper was constantly evolving:

Sweepers favor assets with the highest dollar value, even if it means spending more in transaction fees to sweep;

The sweeper will use all available ETH to maximize sweep value while also having a high percentage of nonce "winning" transactions.

The sweeper has a matching engine that matches pledged tokens (ie: xKNCa=KNC) with their native tokens so that the price feed is reflected on the pledged tokens.

The sweeper has its own internal nonce counter, and periodically resets the nonce nonce to the eth.getTransactionCount() output if its highest nonce nonce is not confirmed within a time frame (or discarded/replaced by another).

Co-Founder of Prysmatic Labs: Pledge Economy Can Guarantee the Security of Ethereum: Jinse Finance reported that in today’s ETH 2.0 AMA hosted by OKEx Mining Pool and Ethereum China Community, Raul Jordan, co-founder of Prysmatic Labs, said that pledge economy can guarantee the security of Ethereum. Ethereum security. We hope to explain staking in the most common language to most users, including Ethereum enthusiasts who want to run a node at home. If only a small number of centralized exchanges can participate in the pledge, then Ethereum will not be as secure as we imagined, and it will not be able to achieve trustlessness. Now, most stakers can participate in eth2 running tests by participating in one of the public testnets. [2020/6/17]

If there are high-value assets targeted by the sweeper, there is some activity suggesting that the operator "sacrifice" some ETH by funding the address in an attempt to quickly sweep the high-value asset from the account.

Some scrubbers won’t sweep assets if the dollar value is below a certain threshold, which means you might not know your account is being targeted by a scrubber, which is scary.

Articles describing the scrubbers first appeared in 2017, and now the scrubbers we observe have become more advanced, and they are designed to maximize the profit of the operator while causing the maximum loss to the victim.

Dynamics | Ethereum lottery platform PoolTogether raises $1.05 million to improve security: Jinse Finance reports that Ethereum non-loss lottery platform PoolTogether announced that it has raised $1.05 million from IDEO CoLab Ventures, ConsenSys Labs and DTC Capital under the Simple Future Equity Agreement (SAFE) U.S. dollars, the new funding will help the company improve its security, increase the size of its bounties, and support its zero-fee service. The company also plans to launch a new USDC pool that will offer daily bonuses and will allow users to link their lotteries together. [2020/2/4]

First, as humans, we cannot be faster than code, so our solutions can only involve coding. There are a few different routes you can choose, none of them are 100% guaranteed, but worked in our favor.

You need to create a list of coins you want to try to salvage, sorted by priority so you can easily determine your plans, you need to list:

Token contract address;

Whether tokens are staked (and whether unstaking is time-locked);

Whether the token is transferable;

Token value (in USD);

The point is that you get this done methodically so you can execute quickly and efficiently. As a famous saying goes: "If you fail to plan, you plan to fail".

After the "eclipse attack" was released, Ethereum quickly revised: "eclipse attack" is an attack method against peer-to-peer nodes in the blockchain, which allows users to transfer money with digital currency that has been paid to others, and the recipient cannot Verify. After the solution was released to the Ethereum community, Ethereum released a patch Geth v1.8.1 to solve the problem. [2018/3/3]

The way the sweeper works is to monitor the txpool for incoming transactions going to its sweeping address, and TAICHI allows you to submit signed transactions directly to the miners (SparkPool) without broadcasting through the public txpool, which means that the sweeper program will be Invisible, and most likely your trade won't be pre-empted by a sweeper bot (at least in my experience).

Picture from TAICHI.NETWORK

The approach here is to have all your transactions pre-signed in nonce order and submitted to TAICHI programmatically. Most sweepers only monitor the public txpool/mempool for incoming ETH transactions, and don't call eth_getBalance on every new block (to save the cost of CPU cycles and RPC method calls), which means they will route through the private txpool ETH sent to the account is ignored, and thus not swept.

This requires you to do some math, and if the math is done correctly, a sweeper program that tries to frontrun may fail! (Usually, I default to a gas price a few percent higher than the "fast" category on GasNow, so miners will be more likely to confirm your transaction in the next block.)

You can use MyCrypto offline to generate signed transactions and push them to TAICHI when ready, or use ethers.js (or other libraries) to create code to create signed transactions.

Just like with the TAICHI method, we can use smart contracts to let ETH into the account without showing it in the public txpool. We do this by deploying a smart contract from a secure address, then structurally send ETH to the compromised address (which would be an inside transaction).

By deploying this contract, we can send ETH along with the leaked address string in the constructor parameters. The contract works by creating the contract and self-destructing in the same transaction. Using selfdestruct() means we clear the blockchain state (since it's a one-time-use contract) and forward ETH to the leaked address in one transaction.

https://goerli.etherscan.io/tx/0x82ccb222eae55aaea73dd0efee1ea6ed7320f880889f280d4a343b8823f86692

Note that while this method works, it will add additional costs, since we are doing more than just sending ETH from one account to another. The cost of this method is about 70,000 gas. In the context of high gas prices, the cost of using this method may reach 0.0112ETH.

Generally speaking, we need to pay ETH for a transaction to be confirmed (because the transaction fee is paid by the sender). However, thanks to Flashbots, we can more easily confirm transactions at 0 gas price (i.e. 0 USD transaction fee) from EOA by "bribing" miners with funds from another account, which means we can transfer tokens to Transfer from a leaked address without paying for gas in ETH, yes, that's it.

This strategy requires the use of 2 accounts, one is the leaked account, and the other is the one used to bribe the miner.

The Flashbots group has released a project called Flashbots/searcher-sponsored-tx‌ which has a rationale for setting up this strategy to confirm your transaction from two accounts.

Since we will be using another account to pay for the transaction, there is no need to deposit ETH to the compromised account.

To make sure there is no ETH in the compromised account, we strongly recommend that you run a Burner bot.

We generally recommend running the burner bot on more than one computer, using a different RPC node per instance. For example, run a burner bot locally with Infura, and run a burner bot on a remote server with another provider such as Quiknode. This way, you have a backup plan in case of high network latency or node issues (rate limiting, sync issues).

The code in Flashbots/searcher-sponsored-tx will need to be modified for your specific needs, but this engine can help you save coins from leaked addresses. The Flashbots engine is flexible enough to support a single transfer() call, or unstake() and transfer() calls.

If you're not too familiar with code, you can also try the @kendricktan/flashbots.tools‌ website.

Tags：

OKX Exchange