Skip to main content
Security

Multi-Signature Wallet Drained by Sophisticated Phishing Attack on Approval Mechanism

Advanced phishing leveraging the Safe Multi Send mechanism bypassed multi-sig security, exposing user assets to illicit transfer.
September 16, 20253 min

The image presents a detailed, close-up view of a complex, futuristic mechanism featuring translucent, tube-like structures that house glowing blue internal components. These conduits appear to connect various metallic and dark blue elements, suggesting a system designed for intricate data or energy transfer
A prominent circular metallic button is centrally positioned within a sleek, translucent blue device, revealing intricate internal components. The device's polished surface reflects ambient light, highlighting its modern, high-tech aesthetic

Briefing

A sophisticated phishing attack resulted in the unauthorized transfer of assets from a 2-of-4 Safe multi-signature wallet. The attacker manipulated the transaction approval process by leveraging a fake Etherscan-verified contract, embedding a malicious approval within a seemingly routine multi-send operation. This incident highlights the persistent threat of social engineering combined with technical deception in the DeFi ecosystem. The total financial impact of this breach is $3.047 million in USDC.

A close-up view reveals a modern device featuring a translucent blue casing and a prominent brushed metallic surface. The blue component, with its smooth, rounded contours, rests on a lighter, possibly silver-toned base, suggesting a sophisticated piece of technology

Context

Prior to this incident, a prevailing risk factor involved user reliance on superficial visual inspection for complex transaction approvals. Attackers frequently leverage the perceived legitimacy of verified contracts and the inherent complexity of multi-send operations. This creates an attack surface where subtle discrepancies in transaction data can lead to significant asset loss.

A highly detailed render showcases intricate glossy blue and lighter azure bands dynamically interwoven around dark, metallic, rectangular modules. The reflective surfaces and precise engineering convey a sense of advanced technological design and robust construction

Analysis

The incident’s technical mechanics involved compromising the user’s transaction approval process within the Request Finance app, specifically targeting a Safe multi-signature wallet. The attacker initiated the chain of cause and effect by deploying a fake, Etherscan-verified contract designed to mimic a legitimate “Batch Payment” contract. This counterfeit contract then exploited the Safe Multi Send mechanism, embedding a malicious approval within what appeared to be a standard transaction.

The victim unknowingly authorized this malicious contract, granting the attacker access to drain $3.047 million in USDC from their 2-of-4 Safe multi-signature wallet. The stolen funds were subsequently swapped for Ethereum and routed through Tornado Cash, a privacy protocol, for obfuscation, demonstrating a clear intent to conceal the illicit trail.

The image showcases a high-precision hardware component, featuring a prominent brushed metal cylinder partially enveloped by a translucent blue casing. Below this, a dark, wavy-edged interface is meticulously framed by polished metallic accents, set against a muted grey background

Parameters

  • Protocol Targeted ∞ Unidentified Multi-signature Wallet Owner
  • Attack Vector ∞ Sophisticated Phishing (Safe Multi Send Exploitation)
  • Financial Impact ∞ $3.047 Million USDC
  • Blockchain Affected ∞ Ethereum
  • Vulnerability Class ∞ Transaction Authorization Manipulation
  • Forensic Identifier ∞ ZachXBT Flagged Incident
  • Attacker Tactic ∞ Fake Etherscan-Verified Contract
  • Mitigation Post-Incident ∞ Request Finance Patched Vulnerability

A close-up view reveals a complex assembly of white, dark grey, and black modular components. Vibrant metallic blue tubes and cables intricately connect these various block-like structures, some featuring vents

Outlook

Immediate mitigation steps for users include enhanced scrutiny of all transaction details, particularly for multi-send approvals, and the consistent use of hardware wallets with clear signing displays. The potential for second-order effects on similar protocols is high, as these sophisticated phishing tactics are readily adaptable to other DeFi platforms and multi-sig setups. This incident will likely establish new security best practices, emphasizing the critical need for more robust transaction simulation tools and clearer, more intuitive approval interfaces for complex contract interactions to prevent future exploitation.

A futuristic transparent device, resembling an advanced hardware wallet or cryptographic module, displays intricate internal components illuminated with a vibrant blue glow. The top surface features tactile buttons, including one marked with an '8', and a central glowing square, suggesting sophisticated user interaction for secure operations

Verdict

This incident underscores the critical evolution of social engineering tactics, demanding heightened vigilance and advanced verification mechanisms for all on-chain interactions.

Signal Acquired from ∞ CryptoSlate

Tags:

Tags: