Phishing Attack Compromises Multi-Sig Wallet via Malicious Contract Approval ∞ Security

A high-fidelity render displays a futuristic, grey metallic device featuring a central, glowing blue crystalline structure. The device's robust casing is detailed with panels, screws, and integrated components, suggesting a highly engineered system

The image displays a close-up of a high-tech electronic connector, featuring a brushed metallic silver body with prominent blue internal components and multiple black cables. Visible within the blue sections are intricate circuit board elements, including rows of small black rectangular chips and gold-colored contacts

Briefing

A sophisticated phishing attack successfully drained $3.047 million in USDC from a 2-of-4 Safe multi-signature wallet on September 11, 2025. This incident highlights the critical risk of disguised malicious contract approvals within seemingly routine transactions. The attacker leveraged a fake, Etherscan-verified contract, mirroring the legitimate recipient’s address, to bypass user scrutiny and execute the illicit transfer. The immediate consequence for the affected user was a significant capital loss, with stolen funds rapidly converted to Ethereum and laundered via Tornado Cash.

A polished metallic square plate, featuring a prominent layered circular component, is securely encased within a translucent, wavy, blue-tinted material. The device's sleek, futuristic design suggests advanced technological integration

Context

Prior to this incident, the digital asset landscape consistently faced advanced social engineering and contract manipulation tactics. Attack surfaces often include front-end interfaces, compromised administrative keys, and vulnerabilities in user authorization flows. The prevailing risk factors included the increasing sophistication of phishing schemes, which leverage legitimate-looking infrastructure to trick users into granting malicious approvals. This exploit leveraged a known class of vulnerability ∞ the deceptive embedding of malicious logic within standard transaction mechanisms.

The image displays a close-up of a sleek, transparent electronic device, revealing its intricate internal components. A prominent brushed metallic chip, likely a secure element, is visible through the blue-tinted translucent casing, alongside a circular button and glowing blue circuitry

Analysis

The attack initiated with the deployment of a fake, Etherscan-verified contract approximately two weeks before the exploit. This contract was meticulously crafted to mimic a legitimate batch payment function, lending it an undeserved air of authenticity. The attacker then exploited the Safe Multi Send mechanism, disguising a malicious approval within what appeared to be a standard transaction. The victim, interacting through the Request Finance app interface, unknowingly authorized transfers to this fraudulent contract.

This chain of events allowed the attacker to siphon $3.047 million in USDC, subsequently swapping the assets for Ethereum and funneling them through Tornado Cash to obscure the financial trail. The success of this attack underscores the attacker’s advanced preparation and the deceptive power of mimicking trusted on-chain entities.

A detailed view presents a translucent blue, fluid-like structure embedded with intricate patterns and bubbles, seamlessly integrated with brushed metallic and dark grey mechanical components. The central blue element appears to be a conduit or processing unit, connecting to a larger, multi-layered framework of silver and black hardware

Parameters

Targeted Entity ∞ 2-of-4 Safe multi-signature wallet
Attack Vector ∞ Sophisticated Phishing via Malicious Contract Approval
Financial Impact ∞ $3.047 Million USDC
Blockchain ∞ Ethereum
Exploited Mechanism ∞ Safe Multi Send
Deception Method ∞ Fake, Etherscan-verified contract mimicking legitimate address
Facilitating Application ∞ Request Finance app interface
Attribution/Discovery ∞ ZachXBT, SlowMist founder Yu Xian, Scam Sniffer

A highly detailed, three-dimensional object shaped like an 'X' or plus sign, constructed from an array of reflective blue and dark metallic rectangular segments, floats against a soft, light grey background. White, textured snow or frost partially covers the object's surfaces, creating a striking contrast with its intricate, crystalline structure

Outlook

Immediate mitigation requires users to exercise extreme vigilance when approving transactions, manually verifying all contract addresses and approval details before signing. Protocols must enhance their front-end security to detect and warn against suspicious contract interactions, even when originating from verified contracts. This incident establishes a new benchmark for phishing sophistication, demanding that security audits extend beyond code logic to include comprehensive assessments of user interaction flows and the potential for social engineering at the application layer. The contagion risk extends to any multi-signature wallet or DeFi protocol relying on user approvals via third-party interfaces.

A translucent blue spherical module, intricately detailed with numerous metallic ports, is partially encased within a sleek, silver-colored metallic structure. The sphere's internal granular elements suggest complex data processing

Verdict

This incident definitively signals a critical escalation in phishing attack sophistication, necessitating an immediate and fundamental shift towards rigorous manual transaction verification and enhanced application-layer security across the digital asset ecosystem.

Signal Acquired from ∞ CryptoSlate