Unmasking Sleepdropping: A New On-Chain Scam Uncovered by the Forta Community

Article by Forta Network Jun. 21, 2023

Forta is a real-time detection network for security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on DeFi, NFTs, bridges, governance and other Web3 systems. When an issue is detected, alerts are sent to subscribers of potential risks, which enables them to take action.

In the ever-evolving world of blockchain, scams and malicious activities continue to adapt in sophistication. Forta Network, the real-time detection network for security monitoring of blockchain activity, has recently identified a new type of scam – Sleepdropping. This scam gives a false impression of legitimacy by tricking users into believing they have received tokens from a legitimate contract address.

An Emerging Threat

The Forta Network has identified a novel form of scamming activity in the blockchain space, known as ‘Sleepdropping’. Just as the world of blockchain evolves, so do the tactics employed by those who seek to exploit it for nefarious gains. Sleepdropping is a prime example of this evolution. The scam takes its name from the ‘sleep minting‘ technique used in NFTs and applies a similar methodology to ERC-20 tokens.

In a typical sleepdropping scenario, a scammer creates an ERC-20 token and sends it to a user’s wallet, making it appear as if it were transferred from a legitimate contract address. This illusion of legitimacy is achieved by allocating all the tokens to the legitimate contract and then executing a function that triggers a transfer event from the legitimate contract to the user’s wallet.

Although this technique does not pose a direct risk to users’ funds, it is used as a form of spam, leading users to a URL where the actual scam takes place, often in the form of an ice phishing attack. This type of scam is designed to trick users into transferring their assets to the scammer, usually by misleading the user into signing a transaction that appears legitimate but is, in fact, a contract invocation that transfers ETH to the scammer.

The Discovery of Sleepdropping

As a part of the continuous monitoring and threat detection process, the Forta team manually reviews alerts generated by Forta’s Scam Detector. In June, while reviewing these alerts, the team noticed an address that was repeatedly invoking an airdrop function from an unverified contract, suggesting potential ice phishing activity. However, no approvals or fund transfers were associated with this address.

Upon further examination, a recurring pattern was observed in all transactions linked to this address. A legitimate token contract was seemingly sending impersonated tokens to multiple addresses. For instance, the Chainlink contract appeared to be airdropping a token called ‘t.link’, and the Hex contract seemed to be airdropping a token called ‘Hex.pool2’. Interestingly, both these impersonated tokens contained a URL in their name leading to the second stage of the scam, the ice phishing attack.

Users who received the airdropped token and investigated the transaction on Etherscan would see the name of the token containing a website URL. The website advertised the possibility of swapping the thLink token for the LINK token. However, upon connecting their wallets, users were tricked into signing a transaction that transferred a small amount of ETH to the scammer.

The Mechanism of Sleepdropping

Sleepdropping works by the scammer airdropping ERC-20 tokens into users’ wallets, but making it appear as though these tokens are coming from a legitimate contract address. This is accomplished by allocating all the tokens to the legitimate contract and executing a function that emits a transfer event from the legitimate contract to the user’s wallet. In essence, this creates the illusion that the token was transferred from the legitimate contract, when in reality, it’s the scammer’s contract. This technique bears similarities to the “sleep minting” of NFTs.

While the technique itself does not pose a direct risk to users, it paves the way for subsequent scams. Typically, the airdropped tokens point the user to a URL where the real scam gets executed, usually as a native ice phishing attack.

The sleepdropping scam involves several steps:

1. Scammers create a fake token, impersonating an existing one.

2. The scammer sends all of these tokens to the legitimate token contract. For example, if the Dai token is impersonated, all the supply of the fake Dai is sent to the MakerDao contract.

3. The scammer invokes the airdrop function of the contract, transferring the funds from the official token contract to multiple addresses. To appear more credible, the scammer sends the same amount to all selected targets, as airdrops are usually tiered.

4. The scammer often includes a phishing URL in the fake token contract in hopes of phishing as many targets as possible.

5. Upon connecting their wallet to this phishing site and approving the contract, users’ native assets are drained.

Over 108 tokens were created to execute sleepdropping attacks, impersonating reputable teams like Chainlink, MakerDao, Circle, Uniswap, Lido, 1inch, dydx, and HEX. An initial analysis indicates that thousands of victims may have fallen victim to this scheme. Just one sleepdropper contract has made over 1,500 transactions and appears to have raked in $22k of stolen user funds. An appendix detailing the scammer EOAs used in verified sleepdropping attacks can be found here.

Forta’s Role in Detection and Prevention

Forta is developing a Sleepdrop bot, designed to identify sleepdrop tokens. This bot will flag token contracts where a large portion of tokens are automatically assigned to a legitimate contract (low severity alert). It will also flag airdrop function calls that emit events, where the token is transferred from the legitimate contract to a set of addresses (high severity).

Just like with previous scams, Forta’s monitoring was effective in detecting these malicious activities. Using machine learning, Forta can dissect every deployed smart contract’s opcode in search of malicious patterns. This level of real-time threat detection and alerting can be invaluable in detecting attacks before they can cause harm, as seen in the Euler Finance hack.

The discovery of the sleepdropping scam serves as a reminder that the world of cryptocurrencies and blockchain technology is still a high-risk landscape. To stay secure, users should remain vigilant of airdrops and URLs contained in tokens, even if they appear legitimate. Wallet providers that utilize Forta’s threat intelligence, such as Zengo, can offer an additional layer of security.

Stay tuned to Forta’s blog for more case studies, and insights into how Forta is making the blockchain space safer, one scam at a time.