[Check Point Software Technologies Co., Ltd.]
Check Point Research warns of attacks that exploit smart contracts of the crypto asset Ethereum (ETH)
*View in browser* *Check Point Software Technologies Co., Ltd.*
Press release: March 29, 2024
**
Check Point Research warns of attacks that exploit smart contracts of the crypto asset Ethereum (ETH)
*Cyber attackers were found to be abusing the CREATE2 function of smart contracts. Damage caused by loss of Ethereum assets worth 500 million yen overseas*
Check Point Software Technologies (Check
Point(R) Software Technologies Ltd.
, NASDAQ: Check Point Research, the threat intelligence division of CHKP (Check Point)
Research (CPR) has published a blog that investigates important vulnerabilities in Ethereum (ETH), which is attracting attention as the second most important platform after Bitcoin in the blockchain field. In this blog, we will explain the security risks associated with Ethereum’s CREATE2 function.
* highlight*
– * Introducing new risks behind convenience: *
Ethereum’s CREATE2 feature, hailed as a technological advancement, has already been found to be exploited by cybercriminals. It compromises the security of digital wallets and facilitates
unauthorized access to funds, with one user actually having 350 There have also been confirmed cases where people lost 10,000 US dollars (approximately 530 million yen).
– * New attack method: *
A typical feature of Ethereum is the “smart contract” function that automatically executes pre-programmed contracts, but attackers can trick users into approving transactions in smart contracts that have not yet been deployed. It became clear that This loophole allows attackers to deploy malicious contracts and steal cryptocurrencies. – * Enhanced defense: *
In light of the latest threat landscape, there is an urgent need to strengthen the security of your wallet to protect yourself from the evolving strategies of cybercriminals and protect your digital assets. * “CREATE2” function that revolutionized smart contracts and security concerns * The CREATE2 feature, introduced as part of the Constantinople upgrade, revolutionized the way smart contracts are deployed. The CREATE2 feature enables the creation of contracts with deterministic addresses even before the actual contract code is written, and allows for the creation of contracts with deterministic addresses, especially within complex ecosystems of decentralized applications (DApps). Greatly improved predictability and efficiency. Facilitates the planning of interactions between multiple contracts, which is important for the seamless functioning of DApps.
On the other hand, CREATE2 introduced a major security loophole to Ethereum. CREATE2’s ability to deploy smart contracts in the future to pre-configured addresses allowed attackers to trick users into approving transactions under non-existent contracts. Once a user approves a fictitious transaction, an attacker can deploy a malicious contract to that address and steal crypto assets from the user’s wallet.
* Attack mechanism *
1. Cybercriminals use airdrops and sophisticated phishing
techniques to trick users into approving or increasing their transaction allowance.
2.
Because the contract is fictitious at the time of approval, it can evade detection by security solutions that screen for threats based on existing contracts.
3. The attacker deploys a malicious contract with the user’s approval to access and exploit the user’s funds.
Many security measures are designed to evaluate and verify
transactions based on existing contracts and known behavior. By exploiting CREATE2’s ability to communicate future contracts, it is possible to bypass these traditional security measures.
*Understand the latest blockchain threats and take security measures*
The abuse of the CREATE2 feature highlights the ongoing battle between innovation and security in the blockchain space. As Ethereum evolves, so do the sophisticated attacks and security mechanisms to protect users. Raising awareness and educating about this is an important first step in protecting your digital assets from emerging threats. Blockchain developers and users must constantly update their security practices and remain vigilant to stay ahead of potential risks. Check Point’s “Threat”
The Intel Blockchain System collects and shares intelligence on emerging threats to help investors safely leverage the crypto space. For more information, please contact blockchain@checkpoint.com Please contact us.
For more information on this topic, check out Check Point Research’s
CP Please refer to the.
This press release was published on March 18, 2024 (U.S. time) Blog
Created based on (English).
* About Check Point Research * Check Point
Research provides the latest cyber threat intelligence information for Check Point customers and the threat intelligence community. Check Point Threat Intelligence ThreatCloud
We collect and analyze data on cyberattacks from around the world stored in AI, and are involved in developing the effectiveness of protection functions installed in our products while deterring hackers. More than 100 analysts and researchers belong to the team, and security
We are working on cybersecurity measures in cooperation with vendors, law enforcement authorities, and each CERT organization.
Blog: https://research.checkpoint.com/
X: https://twitter.com/_cpresearch_
*About check points*
Check Point Software Technologies (https://www.checkpoint.com/ ) is a leading provider of AI-powered cloud cybersecurity platforms, providing protection to over 100,000 organizations worldwide. Check Point Software Technologies leverages the power of AI to improve cybersecurity efficiency and accuracy everywhere through
InfinityPlatform, which enables proactive defense predictions and smarter, faster responses. I am.
Infinity Platform’s comprehensive platform helps Check Point protect your workspace
Harmony, Check Point CloudGuard to protect your cloud, Check Point to protect your network
Quantum and Check Point Infinity Core to enable collaborative security operations and services
Services. Check Point Software Technologies Co., Ltd., a wholly owned Japanese subsidiary of Check Point Software Technologies
https://www.checkpoint.com/jp/) was founded on October 1, 1997 and is based in Minato-ku, Tokyo.
* Social media accounts * ・Check Point Blog: https://blog.checkpoint.com ・Check Point Research Blog: https://research.checkpoint.com/ ・YouTube: https://youtube.com/user/CPGlobal
・LinkedIn:
https://www.linkedin.com/company/check-point-software-technologies/ ・X: https://twitter.com/checkpointjapan
・Facebook: https://www.facebook.com/checkpointjapan
*Inquiries from the press regarding this matter*
Check Point Public Relations Office (within NEXT PR LLC)
Tel: 03-4405-9537 Fax: 03-6739-3934
E-mail: checkpointPR@next-pr.co.jp
*About details about this release*
https://prtimes.jp/main/html/rd/p/000000283.000021207.html