The blockchain security firm SlowMist has shed light on certain security vulnerabilities with centralized exchanges and how hackers use them to conduct false deposit attacks.
While blockchain technology is in its early stages, hackers are developing sophisticated techniques to steal funds from projects and users.
How Exchanges Deposit Funds to Users’ Wallet
When a deposit is made to a centralized crypto exchange, there are various steps before the amount is credited to the users’ address. The infographic below shows those steps, starting with a request for a deposit and the generation of a unique wallet for the user.
However, hackers are tricking the process by sending counterfeit transactions that the exchange identifies as genuine deposits. SlowMist shared an example of the “TON Bounce-back False Top-up.”
Case Study of False Deposit Attack in TON
Hackers have exploited the vulnerabilities in the transaction for depositing Toncoin (TON), a project from the messaging platform Telegram.
The screenshot below shows a transaction using the RPC interface. Generally, the centralized exchanges will verify if the users’ deposit address is mentioned in the “destination” of the “in_msg” property.
However, if the exchanges fail to notice the “out_msgs” property, they might credit the users’ accounts with funds without receiving the deposit. In layman’s terms, the “out_msg” property would refund the funds to its origin account.
SlowMist has also shared best practices to avoid false deposit attacks:
- Multi-confirmation mechanism to avoid falling trap to false deposit attack
- Rigorous transaction matching to ensure the transaction matches with normal transaction pattern
- A risk control system that could detect malicious transactions.
- Manual review for larger deposits and to decrease the system reliability.
- Enhancing API security to stop bad actors from accessing the system
- Temporary withdrawal restrictions after a user’s wallet receives a deposit.
- Regular security updates to fix the vulnerabilities, if any.
Got something to say about the false deposit attack or anything else? Write to us or join the discussion on our Telegram channel. You can also catch us on TikTok, Facebook, or X (Twitter).
For BeInCrypto’s latest Bitcoin (BTC) analysis, click here.
In adherence to the Trust Project guidelines, BeInCrypto is committed to unbiased, transparent reporting. This news article aims to provide accurate, timely information. However, readers are advised to verify facts independently and consult with a professional before making any decisions based on this content.