Feb. 28 — The global evolution of blockchain has occurred at a breakneck pace. In the business setting, blockchain is seeing increased adoption due to its utility in digital identity verification, and the secure transfer of both information and funds through smart contracts.
Smart contracts have business applications within the food services, financial, healthcare, government and manufacturing sectors, among others. While smart contracts are immutable, open source and audited, they are also susceptible to phishing attacks.
The term “ice phishing” is relatively new. For those who may be unfamiliar, it refers to duplicitous activities designed to coerce users into signing transactions that permit token use by cyber attackers. Delegating approval of token use is a common type of transaction related to smart contracts, especially those used in DeFi.
In an “ice phishing” attack, threat actors simply need to modify the contract spender’s address – switching it over to the attacker’s address. This technique remains effective due to the fact that current user interfaces do not reveal all pertinent information that may point towards contract tampering.
After the ice phishing contract/approval has been signed, the attackers can access any corresponding financial resources. Current ice phishers habitually accumulate approvals over a span of time and then drain all financial resources at once.
Preventing ice phishing
If your organization uses smart contracts, here’s what to watch for.
- Ensure that the address on your smart contract is correct. In addition to checking the contract’s front-end appearance, be sure to check the contract address as it appears elsewhere on the transaction.
- Consider auditing your smart contracts. Several reputable websites are available to help organizations audit contracts.
- Explore whether or not your smart contracts have incident response buttons or mechanisms, such as pause/unpause. Know which conditions can trigger pause/unpause, and understand how to trigger those options yourself.
- Be sure to document your audit and security incident response processes in a dedicated section of the website on which your smart contract “lives”.
As smart contracts and the use of blockchain continue to evolve, knowing, understanding and sharing blockchain-based security best practices will become increasingly important.
For further insights into blockchain security, see CyberTalk.org’s latest whitepaper.