Verlorene Gelder mit Trezor
- Dieses Thema hat 11 Antworten und 2 Teilnehmer, und wurde zuletzt aktualisiert vor 1 Jahr, 11 Monaten von
.
-
Beiträge
-
-
Liebe Community,
Nachdem ich ein Befürworter des Ledger: Trezor, habe ich immer mit diesem Markt vorsichtig gewesen.
Heute ist der Tag, an dem ich versagt habe. Ich habe es versäumt, ein gesichertes Konto zu haben, da ich gehackt wurde. Ich habe keine Seed-Phrasen mit jemandem geteilt, und es ist physisch auf einem Stück Papier gespeichert, das niemand kennt.
Als ich aufwachte, hatte ich fast nichts mehr auf meinem Konto, und obwohl mein Trezor nicht einmal an meinen Computer angeschlossen war, konnte jemand auf mein Konto zugreifen und es abheben.
[https://ftmscan.com/address/0x907c149d67bb449904580e2c5b463053c2d69f7f](https://ftmscan.com/address/0x907c149d67bb449904580e2c5b463053c2d69f7f)
Bitte lassen Sie mich wissen, was ich tun kann, um dieses Problem zu lösen, wenn es einen Weg gibt…
Ich glaube, dass ich von 888crypto.pro betrogen worden bin, aber ich habe nie geglaubt, dass es möglich ist, Geld ohne die Erlaubnis eines Ledgers abzuheben.
SEIEN SIE VORSICHTIG DA DRAUSSEN
-
He did have your permission. You gave it to him in this transaction (0x608f5968df311903a6f22da42b869f1504f625919adf8a0795b351479745d369) and also the several transactions following that one where you for some reason approved the same amount and address again.
The address you gave permission to spend your tokens is this one: 0x8D6b0431841653f8910A6c9F9bEa8e2156055B19
Next time when you approve an address to spend you tokens you need to make sure you are actually approving the smart contract you wanted to approve, checking the code too is a good idea. In this case you didn’t even approve a smart contract, you approved an ordinary address to spend you funds. If you had paid attention then the fact that the address you approved wasn’t even a smart contract would have been an obvious sign that you were being scammed.
Obviously if you want to keep using the address you need to cancel all your approvals to that address, if not he can withdraw any USDC you deposit to the address since he still has a large allowance left.
-
-
In every single defi app I’ve used in the last couple of years there’s always an ‘approve’ button for a specific action followed by a ‘stake/farm/provide’ button.
You cannot stake without first approving, however BOTH transactions require a signiture from the hardware wallet.
I have never witnessed a hardware wallet transaction get executed without the need for a signiture from the device. Even ‘claim & stake’ buttons which allow for two separate blockchain commands also require TWO signatures.
So how did this contract both gain permission AND drain the account without the user needing to sign. It should be highlighted to the user in clear block capitals that this contract is requesting to drain the full account (similar to how app permissions work in Android). We cannot rely on users knowing how to navigate solidity or being able to tell the difference between contract addresses and normal wallet addresses.
This needs more work from metamask, ledger and trezor!!
Lastly, how do we check an approval contract we are signing is not malicious? (I bet there are no tools for this)
-
-
-
Malicious ETH contracts can clean you out.
https://ethereum.org/en/developers/docs/smart-contracts/security/#attacks-and-vulnerabilities.
> withdraw funds without permission of a ledger
When you sign a malicious contract it can grant future permission. Malicious contracts are intentionally convoluted.
-
-
-
-
I’m sorry for the heavy price you paid, and your advice is well taken. This attack vector has prompted this PSA. A different honey pot but the same tactic.
https://blog.coinbase.com/security-psa-mining-pool-scams-targeting-self-custody-wallets-543ffe698724
-
-
- Du musst angemeldet sein, um auf dieses Thema antworten zu können.
