Security

Multi-Sig Wallet Drained by Sophisticated Phishing Attack on Request Finance

Attackers leveraged fake Etherscan-verified contracts and Safe Multi Send to obscure malicious approvals, directly compromising user assets.
September 16, 20253 min

A textured, white, foundational structure, reminiscent of a complex blockchain architecture, forms the core. Embedded within and around this structure are dense clusters of granular particles, varying from deep indigo to vibrant cerulean
The image displays a close-up perspective of two interconnected, robust electronic components against a neutral grey background. A prominent translucent blue module, possibly a polymer, houses a brushed metallic block, while an adjacent silver-toned metallic casing features a circular recess and various indentations

Briefing

A sophisticated phishing attack successfully compromised an unidentified investor’s 2-of-4 Safe multi-signature wallet, resulting in the unauthorized transfer of assets. The primary consequence involved the draining of over $3 million in USDC, which the attacker rapidly converted to Ethereum and routed through Tornado Cash. This incident highlights a critical vulnerability in user transaction verification processes and the evolving tactics of threat actors. The total financial impact of the exploit stands at $3.047 million in USDC.

A multifaceted blue object with numerous openings, textured by tiny water droplets, is partially encircled by smooth silver bands. The object's organic yet structured form evokes the complexity of a decentralized network

Context

Prior to this incident, the digital asset landscape has consistently faced persistent phishing threats targeting user approvals and wallet permissions. The prevailing attack surface includes interfaces where users authorize transactions, making them susceptible to social engineering and malicious contract interactions. A known class of vulnerability involves attackers deploying seemingly legitimate, Etherscan-verified contracts to masquerade as trusted entities, a tactic this exploit effectively leveraged.

The intricate design showcases a futuristic device with a central, translucent blue optical component, surrounded by polished metallic surfaces and subtle dark blue accents. A small orange button is visible, hinting at interactive functionality within its complex architecture

Analysis

The attack initiated with the attacker deploying a fake, Etherscan-verified contract weeks in advance, programmed with deceptive “batch payment” functions. The specific system compromised was the victim’s multi-signature wallet, facilitated through the Request Finance app interface. The attacker crafted the fraudulent contract to mirror the legitimate recipient’s address, using identical first and last characters.

This enabled the malicious approval to be disguised within the Safe Multi Send mechanism, appearing as a routine authorization. The chain of cause and effect shows the attacker’s strategic preparation, exploiting the victim’s trust and the complexity of transaction details to gain unauthorized control over funds.

A metallic, silver-toned electronic component, featuring intricate details and connection points, is partially enveloped by a translucent, vibrant blue, fluid-like substance. The substance forms a protective, organic-looking casing around the component, with light reflecting off its glossy surfaces, highlighting its depth and smooth contours against a soft grey background

Parameters

  • Protocol/Wallet Targeted → Unidentified investor’s 2-of-4 Safe multi-signature wallet
  • Vulnerability Type → Sophisticated Phishing, Malicious Contract Approval
  • Financial Impact → $3.047 Million USDC
  • Blockchain AffectedEthereum
  • Attack Vector Detail → Fake Etherscan-verified contract mimicking legitimate address, exploiting Safe Multi Send mechanism
  • On-Chain Forensics → Funds swapped to Ethereum and routed to Tornado Cash
  • Initial Flagging → ZachXBT on September 11, 2025
  • App Interface Exploited → Request Finance app

A white, rectangular, modular device with visible ports and connections extends into a vibrant, glowing blue crystalline structure, which is composed of numerous small, luminous spheres and interspersed with frosty textures. The background shows a blurred continuation of similar blue and white elements, suggesting a complex digital environment

Outlook

Immediate mitigation steps for users involve heightened scrutiny of all transaction approval requests, particularly when interacting with multi-send mechanisms. Users must verify the full contract address and not solely rely on partial matching. This incident will likely establish new security best practices emphasizing enhanced client-side validation and improved user interface transparency for complex transaction types. The contagion risk extends to any protocol or user relying on similar multi-send or batch transaction functionalities without robust, explicit authorization checks.

A futuristic mechanical device, composed of metallic silver and blue components, is prominently featured, partially covered in a fine white frost or crystalline substance. The central blue element glows softly, indicating internal activity within the complex, modular structure

Verdict

This incident underscores the critical necessity for advanced user education and robust protocol-level safeguards against increasingly sophisticated social engineering and contract impersonation tactics.

Signal Acquired from → cryptoslate.com

Micro Crypto News Feeds

multi-signature wallet

Definition ∞ A multi-signature wallet is a type of digital wallet that requires multiple private keys to authorize a transaction.

malicious contract

Definition ∞ A malicious contract is a piece of code, often a smart contract on a blockchain, designed with the intent to deceive, defraud, or harm users.

multi-signature

Definition ∞ Multi-signature, often abbreviated as multisig, is a type of digital signature that requires more than one cryptographic key to authorize a transaction.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

wallet

Definition ∞ A digital wallet is a software or hardware application that stores public and private keys, enabling users to send, receive, and manage their digital assets on a blockchain.

vulnerability

Definition ∞ A vulnerability refers to a flaw or weakness in a system, protocol, or smart contract that could be exploited by malicious actors to compromise its integrity, security, or functionality.

financial impact

Definition ∞ Financial impact describes the consequences of an event, decision, or technology on monetary values, asset prices, or economic activity.

ethereum

Definition ∞ Ethereum is a decentralized, open-source blockchain system that facilitates the creation and execution of smart contracts and decentralized applications (dApps).

contract

Definition ∞ A 'Contract' is a set of rules and code that automatically executes when predefined conditions are met.

tornado cash

Definition ∞ Tornado Cash is a decentralized cryptocurrency mixing service designed to enhance user privacy by obscuring the transaction history of digital assets.

interface

Definition ∞ An interface is a point where two systems, subjects, organizations, etc.

users

Definition ∞ Users are individuals or entities that interact with digital assets, blockchain networks, or decentralized applications.

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

Tags:

Tags: