Transaction simulation spoofing attack targets cryptocurrency wallets

A new attack method dubbed transaction simulation spoofing has emerged as a significant threat to cryptocurrency users with its ability to let malicious actors exploit a key security feature in modern Web3 wallets, reports BleepingComputer.

Transaction simulation is designed to preview the predicted outcomes of blockchain transactions to enhance user trust and security. However, attackers have learned to exploit a critical flaw by luring victims to phony websites that simulate legitimate platforms. These sites initiate a fake claim function with the simulation showing users an expected small ETH gain. During a brief time lag between the simulation and execution of the transaction, attackers manipulate the on-chain contract state, enabling unauthorized transfers of the victim’s entire wallet contents once the transaction is signed. The tactic recently enabled the theft of 143.45 Ethereum, valued at approximately $460,000, as reported by ScamSniffer. ScamSniffer recommended that Web3 wallets configure simulation refresh intervals to match blockchain block times, implement forced refresh mechanisms, and introduce expiration warnings to mitigate these risks. Users are being advised to remain cautious of free claim offers on unverified websites and rely only on trusted decentralized applications.