ERC-20 代幣：加密貨幣竊盜的溫床

ERC-20 代幣通常在加密詐騙中被盜，其中網路釣魚攻擊佔損失的很大一部分。旨在簡化交易的代幣標準批准機制在不知不覺中促進了盜竊，惡意行為者利用「允許」和「增加津貼」等功能。儘管嘗試解決這些漏洞，但智慧合約的不可變性使得糾正 ERC-20 的缺陷具有挑戰性。此外，網路釣魚詐騙在以太坊生態系統中盛行，即使是經驗豐富的加密貨幣用戶也成為社會工程策略的受害者。安全專家強調需要保持謹慎和認識，以降低網路釣魚風險。

ERC-20 Tokens: A Breeding Ground for Crypto Theft

ERC-20 代幣：加密貨幣竊盜的溫床

Within the ever-evolving realm of cryptocurrencies, ERC-20 tokens have emerged as a ubiquitous standard, accounting for a staggering 89.5% of the $71.5 million worth of crypto assets pilfered through phishing scams in March alone, according to the reputable firm Rip-off Sniffer. This alarming statistic highlights a fundamental flaw within the design of ERC-20 tokens, leaving them vulnerable to exploitation.

根據知名公司Rip-off 的數據，在不斷發展的加密貨幣領域，ERC-20 代幣已成為普遍存在的標準，僅在3 月份通過網絡釣魚詐騙竊取的價值7150 萬美元的加密資產中，ERC- 20 代幣就佔了驚人的89.5%。嗅探器。這令人震驚的統計數據凸顯了 ERC-20 代幣設計中的根本缺陷，使其容易受到利用。

At the heart of the problem lie features such as "allow" and "increaseAllowance," intended to enhance the efficiency of the token standard. However, these very mechanisms have inadvertently introduced new vulnerabilities, creating a breeding ground for sophisticated theft schemes.

問題的核心在於諸如“allow”和“increaseAllowance”之類的功能，旨在提高代幣標準的效率。然而，這些機制無意中引入了新的漏洞，為複雜的盜竊計畫創造了溫床。

Origins of the Flaw: An Inherent Design Flaw

缺陷的根源：固有的設計缺陷

First introduced in 2015, ERC-20 tokens possess inherent security loopholes that have allowed malicious actors to exploit unsuspecting victims, often through phishing attacks. Mikko Ohtamaa, co-founder of the algorithmic trading protocol Trading Strategy, attributes these vulnerabilities to poor design choices embedded within Ethereum and, to a lesser extent, Solana.

ERC-20 代幣於 2015 年首次推出，具有固有的安全漏洞，導致惡意行為者通常透過網路釣魚攻擊來利用毫無戒心的受害者。演算法交易協議 Trading Strategy 的共同創辦人 Mikko Ohtamaa 將這些漏洞歸因於以太坊以及較小程度 Solana 中嵌入的不良設計選擇。

"The immutability of smart contracts complicates efforts to rectify ERC-20's flaws," explains Ohtamaa. This characteristic, while crucial for maintaining the integrity of blockchain technology, presents a significant obstacle to patching vulnerabilities in existing contracts.

「智慧合約的不變性使得糾正 ERC-20 缺陷的工作變得更加複雜，」Ohtamaa 解釋道。這項特性雖然對於維護區塊鏈技術的完整性至關重要，但也為修補現有合約中的漏洞帶來了重大障礙。

Phishing Attacks: Leveraging Uniswap's Permit2

網路釣魚攻擊：利用 Uniswap 的許可證2

Phishing scams have become a primary mode of attack for crypto thieves, with Ethereum serving as a prime target. Uniswap, a prominent decentralized exchange, sought to address the inconvenience of separate approvals for each transaction by introducing Permit2, a smart contract released in 2022.

網路釣魚詐騙已成為加密貨幣竊賊的主要攻擊方式，其中以太坊是主要目標。著名的去中心化交易所 Uniswap 試圖透過引入 2022 年發布的智能合約 Permit2 來解決每筆交易單獨審批的不便問題。

Permit2 aimed to streamline the process by allowing users to grant batch token approvals to decentralized applications (DApps), thereby eliminating the need for multiple on-chain approvals and reducing gas fees. However, this seemingly innocuous solution opened up a new avenue for illicit actors to obtain "allow" signatures through phishing schemes, ultimately siphoning tokens from unsuspecting victims.

Permit2 旨在透過允許用戶向去中心化應用程式（DApp）授予批量代幣批准來簡化流程，從而消除多個鏈上批准的需要並減少天然氣費用。然而，這種看似無害的解決方案為非法行為者透過網路釣魚方案獲取「允許」簽名開闢了新途徑，最終從毫無戒心的受害者那裡竊取了代幣。

Limitations of the "Approve" Mechanism

「批准」機制的局限性

The core functionalities of the ERC-20 standard, including the "approve" mechanism, have been instrumental in catalyzing the rise of decentralized finance (DeFi). However, this mechanism has also become a target for malicious entities to deceive users into signing fraudulent messages, exploiting the discrepancy between Ethereum's native currency, Ether, and ERC-20 tokens in their interaction with smart contracts.

ERC-20標準的核心功能，包括「批准」機制，在促進去中心化金融（DeFi）的興起方面發揮了重要作用。然而，這種機制也成為惡意實體欺騙用戶簽署詐騙訊息的目標，利用以太坊原生貨幣以太幣和 ERC-20 代幣在與智能合約互動時的差異。

While sending Ether to a smart contract is straightforward, ERC-20 tokens require explicit approvals when interacting with different smart contracts. This approval process becomes a prime target for malicious actors seeking to trick victims into granting unintended access to their funds.

雖然將以太幣發送到智能合約很簡單，但 ERC-20 代幣在與不同智能合約互動時需要明確的批准。此審批流程成為惡意行為者的主要目標，這些行為者試圖誘騙受害者授予其資金的意外存取權。

The Immutable Curse: A Dilemma for Developers

不可變的詛咒：開發人員的困境

The immutable nature of smart contracts poses a significant challenge for developers seeking to address the vulnerabilities in ERC-20 tokens. Changes to existing tokens in circulation are virtually impossible, leaving them perpetually susceptible to exploitation.

智慧合約的不可變性給尋求解決 ERC-20 代幣漏洞的開發人員帶來了重大挑戰。改變現有流通中的代幣幾乎是不可能的，這使得它們永遠容易受到利用。

However, some projects have attempted to circumvent this limitation by employing upgradable proxies or middleman contracts. These solutions provide a degree of flexibility, allowing developers to modify or eliminate non-core functionalities, such as "increaseAllowance" and "allow." Uniswap's Permit2, for example, extended the "allow" functionality to ERC-20 tokens that lacked it natively.

然而，一些項目試圖透過使用可升級代理商或中間人合約來規避這一限制。這些解決方案提供了一定程度的靈活性，允許開發人員修改或消除非核心功能，例如「increaseAllowance」和「allow」。例如，Uniswap 的 Permit2 將「允許」功能擴展到了本身缺乏該功能的 ERC-20 代幣。

The Social Engineering Factor

社會工程因素

Despite the technical flaws in ERC-20 token design, social engineering techniques play a significant role in the success of phishing scams. These tactics manipulate human behavior, exploiting psychological vulnerabilities to trick victims into compromising their security.

儘管 ERC-20 代幣設計存在技術缺陷，但社會工程技術在網路釣魚詐騙的成功中發揮重要作用。這些策略操縱人類行為，並利用心理弱點來欺騙受害者，從而損害他們的安全。

Mikhail Vladimirov, an Ethereum developer and smart contract auditor, emphasizes the importance of user education and simplified wallet interfaces to mitigate the risks associated with phishing attacks. He argues that overly technical jargon and complex codes often confuse users, making them more susceptible to scams.

以太坊開發人員和智慧合約審計師 Mikhail Vladimirov 強調了用戶教育和簡化錢包介面對於減輕網路釣魚攻擊相關風險的重要性。他認為，過於技術性的術語和複雜的程式碼常常會讓用戶感到困惑，使他們更容易受到詐騙。

Are Phishing Scams a Priority?

網路釣魚詐騙是首要任務嗎？

The security community has been criticized for not prioritizing phishing scams, primarily attributed to their impact on less experienced users or flaws in front-end interfaces. Some researchers dismiss them as a "silly user problem" or a responsibility of wallet and front-end developers.

安全社群因沒有優先考慮網路釣魚詐騙而受到批評，這主要歸因於它們對經驗不足的用戶的影響或前端介面的缺陷。一些研究人員將其視為「愚蠢的用戶問題」或錢包和前端開發人員的責任。

However, the prevalence of phishing attacks has expanded beyond novice users, and even experienced crypto enthusiasts have fallen victim to sophisticated social engineering schemes. Necksus, a crypto miner and collaborator with the forensics platform Intelligence On Chain, lost approximately $20,000 to a phishing scam after being deceived by a compromised NFT artist's account.

然而，網路釣魚攻擊的流行範圍已擴大到新手用戶之外，甚至經驗豐富的加密貨幣愛好者也成為複雜社會工程計劃的受害者。 Necksus 是一名加密貨幣礦工，也是取證平台 Intelligence On Chain 的合作者，在被受感染的 NFT 藝術家帳戶欺騙後，因網路釣魚詐騙損失了約 2 萬美元。

Emerging Trends in Phishing Attacks

網路釣魚攻擊的新趨勢

Phishing scams are constantly evolving, with attackers employing increasingly creative techniques. Lev Menshikov of Oxorio, an auditing agency, highlights the rising popularity of attacks targeting ENS (Ethereum Name Service) domain owners. In this scheme, attackers send fraudulent email alerts to ENS domain owners, luring them to a bogus renewal website where their funds are extorted.

網路釣魚詐騙不斷演變，攻擊者採用越來越有創意的技術。審計機構 Oxorio 的 Lev Menshikov 強調，針對 ENS（以太坊名稱服務）域名所有者的攻擊日益流行。在這個計劃中，攻擊者向 ENS 域名所有者發送欺詐性電子郵件警報，引誘他們訪問虛假的續約網站，並在那裡勒索他們的資金。

Mitigating Risks and Protecting Assets

降低風險並保護資產

While the immutability of smart contracts and the vast array of tokens make it challenging to prevent attacks on a purely on-chain level, a combination of security tools and user vigilance can significantly reduce the risk of falling victim to phishing scams.

雖然智能合約的不變性和大量代幣使得防止純粹鏈上的攻擊具有挑戰性，但安全工具和用戶警覺性的結合可以顯著降低成為網路釣魚詐騙受害者的風險。

WalletGuard and Pocket Universe are examples of security tools that allow users to scan URLs for potential risks and identify potential wallet drainers. By exercising caution and maintaining a heightened awareness of phishing attempts, crypto users can protect their digital assets from malicious actors.

WalletGuard 和 Pocket Universe 是安全工具的範例，可讓用戶掃描 URL 是否有潛在風險並識別潛在的錢包流失者。透過謹慎行事並保持對網路釣魚企圖的高度認識，加密貨幣用戶可以保護其數位資產免受惡意行為者的侵害。

A Cynical View: Profiting from Unresolved Issues

憤世嫉俗的觀點：從未解決的問題中獲利

Some experts, like Ohtamaa, believe that there is a lack of incentive to resolve the phishing problem in the cryptocurrency industry. "It's always more profitable to sell aspirin than to cure the patient," he says, implying that the financial rewards of exploiting vulnerabilities outweigh the efforts required to fix them.

Ohtamaa 等一些專家認為，加密貨幣產業缺乏解決網路釣魚問題的動力。他說：「銷售阿斯匹靈總是比治癒病人更有利可圖。」這意味著利用漏洞帶來的經濟回報超過了修復漏洞所需的努力。

As the cryptocurrency ecosystem continues to evolve, it remains essential for developers, security researchers, and users to work together to address the ongoing threat of phishing scams. By understanding the vulnerabilities inherent in ERC-20 tokens and adopting proactive measures, crypto users can safeguard their digital assets and contribute to a more secure future for the crypto community.

隨著加密貨幣生態系統的不斷發展，開發人員、安全研究人員和用戶共同努力應對網路釣魚詐騙的持續威脅仍然至關重要。透過了解 ERC-20 代幣固有的漏洞並採取主動措施，加密貨幣用戶可以保護他們的數位資產，並為加密貨幣社群更安全的未來做出貢獻。