ERC-20 代币：加密货币盗窃的滋生地

ERC-20 代币通常在加密诈骗中被盗，其中网络钓鱼攻击占损失的很大一部分。旨在简化交易的代币标准批准机制在不知不觉中促进了盗窃，恶意行为者利用“允许”和“增加津贴”等功能。尽管尝试解决这些漏洞，但智能合约的不可变性使得纠正 ERC-20 的缺陷具有挑战性。此外，网络钓鱼诈骗在以太坊生态系统中盛行，即使是经验丰富的加密货币用户也成为社会工程策略的受害者。安全专家强调需要保持谨慎和认识，以降低网络钓鱼风险。

ERC-20 Tokens: A Breeding Ground for Crypto Theft

ERC-20 代币：加密货币盗窃的滋生地

Within the ever-evolving realm of cryptocurrencies, ERC-20 tokens have emerged as a ubiquitous standard, accounting for a staggering 89.5% of the $71.5 million worth of crypto assets pilfered through phishing scams in March alone, according to the reputable firm Rip-off Sniffer. This alarming statistic highlights a fundamental flaw within the design of ERC-20 tokens, leaving them vulnerable to exploitation.

根据知名公司 Rip-off 的数据，在不断发展的加密货币领域，ERC-20 代币已成为普遍存在的标准，仅在 3 月份通过网络钓鱼诈骗窃取的价值 7150 万美元的加密资产中，ERC-20 代币就占到了惊人的 89.5%。嗅探器。这一令人震惊的统计数据凸显了 ERC-20 代币设计中的根本缺陷，使其容易受到利用。

At the heart of the problem lie features such as "allow" and "increaseAllowance," intended to enhance the efficiency of the token standard. However, these very mechanisms have inadvertently introduced new vulnerabilities, creating a breeding ground for sophisticated theft schemes.

问题的核心在于诸如“allow”和“increaseAllowance”之类的功能，旨在提高代币标准的效率。然而，这些机制无意中引入了新的漏洞，为复杂的盗窃计划创造了滋生地。

Origins of the Flaw: An Inherent Design Flaw

缺陷的根源：固有的设计缺陷

First introduced in 2015, ERC-20 tokens possess inherent security loopholes that have allowed malicious actors to exploit unsuspecting victims, often through phishing attacks. Mikko Ohtamaa, co-founder of the algorithmic trading protocol Trading Strategy, attributes these vulnerabilities to poor design choices embedded within Ethereum and, to a lesser extent, Solana.

ERC-20 代币于 2015 年首次推出，具有固有的安全漏洞，导致恶意行为者通常通过网络钓鱼攻击来利用毫无戒心的受害者。算法交易协议 Trading Strategy 的联合创始人 Mikko Ohtamaa 将这些漏洞归因于以太坊以及较小程度上 Solana 中嵌入的不良设计选择。

"The immutability of smart contracts complicates efforts to rectify ERC-20's flaws," explains Ohtamaa. This characteristic, while crucial for maintaining the integrity of blockchain technology, presents a significant obstacle to patching vulnerabilities in existing contracts.

“智能合约的不变性使得纠正 ERC-20 缺陷的工作变得更加复杂，”Ohtamaa 解释道。这一特性虽然对于维护区块链技术的完整性至关重要，但也为修补现有合约中的漏洞带来了重大障碍。

Phishing Attacks: Leveraging Uniswap's Permit2

网络钓鱼攻击：利用 Uniswap 的许可证2

Phishing scams have become a primary mode of attack for crypto thieves, with Ethereum serving as a prime target. Uniswap, a prominent decentralized exchange, sought to address the inconvenience of separate approvals for each transaction by introducing Permit2, a smart contract released in 2022.

网络钓鱼诈骗已成为加密货币窃贼的主要攻击方式，其中以太坊是主要目标。著名的去中心化交易所 Uniswap 试图通过引入 2022 年发布的智能合约 Permit2 来解决每笔交易单独审批的不便问题。

Permit2 aimed to streamline the process by allowing users to grant batch token approvals to decentralized applications (DApps), thereby eliminating the need for multiple on-chain approvals and reducing gas fees. However, this seemingly innocuous solution opened up a new avenue for illicit actors to obtain "allow" signatures through phishing schemes, ultimately siphoning tokens from unsuspecting victims.

Permit2 旨在通过允许用户向去中心化应用程序（DApp）授予批量代币批准来简化流程，从而消除多个链上批准的需要并减少天然气费用。然而，这种看似无害的解决方案为非法行为者通过网络钓鱼方案获取“允许”签名开辟了新途径，最终从毫无戒心的受害者那里窃取了代币。

Limitations of the "Approve" Mechanism

“批准”机制的局限性

The core functionalities of the ERC-20 standard, including the "approve" mechanism, have been instrumental in catalyzing the rise of decentralized finance (DeFi). However, this mechanism has also become a target for malicious entities to deceive users into signing fraudulent messages, exploiting the discrepancy between Ethereum's native currency, Ether, and ERC-20 tokens in their interaction with smart contracts.

ERC-20标准的核心功能，包括“批准”机制，在促进去中心化金融（DeFi）的兴起方面发挥了重要作用。然而，这种机制也成为恶意实体欺骗用户签署欺诈消息的目标，利用以太坊原生货币以太币和 ERC-20 代币在与智能合约交互时的差异。

While sending Ether to a smart contract is straightforward, ERC-20 tokens require explicit approvals when interacting with different smart contracts. This approval process becomes a prime target for malicious actors seeking to trick victims into granting unintended access to their funds.

虽然将以太币发送到智能合约很简单，但 ERC-20 代币在与不同智能合约交互时需要明确的批准。此审批流程成为恶意行为者的主要目标，这些行为者试图诱骗受害者授予其资金的意外访问权。

The Immutable Curse: A Dilemma for Developers

不可变的诅咒：开发人员的困境

The immutable nature of smart contracts poses a significant challenge for developers seeking to address the vulnerabilities in ERC-20 tokens. Changes to existing tokens in circulation are virtually impossible, leaving them perpetually susceptible to exploitation.

智能合约的不可变性给寻求解决 ERC-20 代币漏洞的开发人员带来了重大挑战。改变现有流通中的代币几乎是不可能的，这使得它们永远容易受到利用。

However, some projects have attempted to circumvent this limitation by employing upgradable proxies or middleman contracts. These solutions provide a degree of flexibility, allowing developers to modify or eliminate non-core functionalities, such as "increaseAllowance" and "allow." Uniswap's Permit2, for example, extended the "allow" functionality to ERC-20 tokens that lacked it natively.

然而，一些项目试图通过使用可升级代理或中间人合约来规避这一限制。这些解决方案提供了一定程度的灵活性，允许开发人员修改或消除非核心功能，例如“increaseAllowance”和“allow”。例如，Uniswap 的 Permit2 将“允许”功能扩展到了本身缺乏该功能的 ERC-20 代币。

The Social Engineering Factor

社会工程因素

Despite the technical flaws in ERC-20 token design, social engineering techniques play a significant role in the success of phishing scams. These tactics manipulate human behavior, exploiting psychological vulnerabilities to trick victims into compromising their security.

尽管 ERC-20 代币设计存在技术缺陷，但社会工程技术在网络钓鱼诈骗的成功中发挥着重要作用。这些策略操纵人类行为，利用心理弱点来欺骗受害者，从而损害他们的安全。

Mikhail Vladimirov, an Ethereum developer and smart contract auditor, emphasizes the importance of user education and simplified wallet interfaces to mitigate the risks associated with phishing attacks. He argues that overly technical jargon and complex codes often confuse users, making them more susceptible to scams.

以太坊开发人员和智能合约审计师 Mikhail Vladimirov 强调了用户教育和简化钱包界面对于减轻网络钓鱼攻击相关风险的重要性。他认为，过于技术性的术语和复杂的代码常常会让用户感到困惑，使他们更容易受到诈骗。

Are Phishing Scams a Priority?

网络钓鱼诈骗是首要任务吗？

The security community has been criticized for not prioritizing phishing scams, primarily attributed to their impact on less experienced users or flaws in front-end interfaces. Some researchers dismiss them as a "silly user problem" or a responsibility of wallet and front-end developers.

安全社区因没有优先考虑网络钓鱼诈骗而受到批评，这主要归因于它们对经验不足的用户的影响或前端界面的缺陷。一些研究人员将其视为“愚蠢的用户问题”或钱包和前端开发人员的责任。

However, the prevalence of phishing attacks has expanded beyond novice users, and even experienced crypto enthusiasts have fallen victim to sophisticated social engineering schemes. Necksus, a crypto miner and collaborator with the forensics platform Intelligence On Chain, lost approximately $20,000 to a phishing scam after being deceived by a compromised NFT artist's account.

然而，网络钓鱼攻击的流行范围已扩大到新手用户之外，甚至经验丰富的加密货币爱好者也成为复杂社会工程计划的受害者。 Necksus 是一名加密货币矿工，也是取证平台 Intelligence On Chain 的合作者，在被受感染的 NFT 艺术家账户欺骗后，因网络钓鱼诈骗损失了约 20,000 美元。

Emerging Trends in Phishing Attacks

网络钓鱼攻击的新趋势

Phishing scams are constantly evolving, with attackers employing increasingly creative techniques. Lev Menshikov of Oxorio, an auditing agency, highlights the rising popularity of attacks targeting ENS (Ethereum Name Service) domain owners. In this scheme, attackers send fraudulent email alerts to ENS domain owners, luring them to a bogus renewal website where their funds are extorted.

网络钓鱼诈骗不断演变，攻击者采用越来越有创意的技术。审计机构 Oxorio 的 Lev Menshikov 强调，针对 ENS（以太坊名称服务）域名所有者的攻击日益流行。在此计划中，攻击者向 ENS 域名所有者发送欺诈性电子邮件警报，引诱他们访问虚假的续订网站，并在那里勒索他们的资金。

Mitigating Risks and Protecting Assets

降低风险并保护资产

While the immutability of smart contracts and the vast array of tokens make it challenging to prevent attacks on a purely on-chain level, a combination of security tools and user vigilance can significantly reduce the risk of falling victim to phishing scams.

虽然智能合约的不变性和大量代币使得防止纯粹链上的攻击具有挑战性，但安全工具和用户警惕性的结合可以显着降低成为网络钓鱼诈骗受害者的风险。

WalletGuard and Pocket Universe are examples of security tools that allow users to scan URLs for potential risks and identify potential wallet drainers. By exercising caution and maintaining a heightened awareness of phishing attempts, crypto users can protect their digital assets from malicious actors.

WalletGuard 和 Pocket Universe 是安全工具的示例，允许用户扫描 URL 是否存在潜在风险并识别潜在的钱包流失者。通过谨慎行事并保持对网络钓鱼企图的高度认识，加密货币用户可以保护其数字资产免受恶意行为者的侵害。

A Cynical View: Profiting from Unresolved Issues

愤世嫉俗的观点：从未解决的问题中获利

Some experts, like Ohtamaa, believe that there is a lack of incentive to resolve the phishing problem in the cryptocurrency industry. "It's always more profitable to sell aspirin than to cure the patient," he says, implying that the financial rewards of exploiting vulnerabilities outweigh the efforts required to fix them.

Ohtamaa 等一些专家认为，加密货币行业缺乏解决网络钓鱼问题的动力。他说：“销售阿司匹林总是比治愈病人更有利可图。”这意味着利用漏洞带来的经济回报超过了修复漏洞所需的努力。

As the cryptocurrency ecosystem continues to evolve, it remains essential for developers, security researchers, and users to work together to address the ongoing threat of phishing scams. By understanding the vulnerabilities inherent in ERC-20 tokens and adopting proactive measures, crypto users can safeguard their digital assets and contribute to a more secure future for the crypto community.

随着加密货币生态系统的不断发展，开发人员、安全研究人员和用户共同努力应对网络钓鱼诈骗的持续威胁仍然至关重要。通过了解 ERC-20 代币固有的漏洞并采取主动措施，加密货币用户可以保护他们的数字资产，并为加密货币社区更安全的未来做出贡献。