What is Ice phishing?  The ‘ice phishing’ technique does not involve stealing one’s private keys. Rather, it is about tricking a user into signing a transaction, which delegates the approval of the user’s tokens to the attacker.

Microsoft stated, “This is a common type of transaction that enables interactions with DeFi smart contracts, as those are used to interact with the user’s tokens.” Microsoft calls the threat an emerging “Ice Phishing” threat on blockchain and DeFi Networks.

In an ‘ice phishing’ attack, the attacker typically changes the spender’s address to the attacker’s address.

So, once the approval transaction has been signed, submitted, and mined, the spender/hacker will be able to access the funds.

In cases of an ‘ice phishing’ attack, the attacker will accumulate approvals over a period of time.  Eventually, they will drain the victim’s wallets quickly by making use of the fake request from the attacker. This is exactly what happened in the Bader DAO Attack.

Badger DAO Attack

The Badger DAO attack, is a phishing attack, which happened in November-December 2021. During the time, the attacker was able to steal nearly 121 million US dollars from users.

This is a serious threat to the DeFi and cryptocurrency space.  If an attacker is capable of single-handedly grabbing a major chunk of crypto funds in complete anonymity, this changes the overall dynamics of the DeFi process.

From the Badger DAO Attack, the important lessons learnt are:  1. It is important to build security into web3 while it is in its early stages of evolution and adoption.  End users should explicitly verify information using additional resources like reviewing projects, documentation, and also external reputation with regards to informational websites.

Blockchain ERC-20 Tokens and Avoiding Phishing

Blockchain – The blockchain is a distributed ledger, which is secured by cryptographic algorithms. The transactions submitted to a blockchain will modify the ledger, by transferring cryptocurrency coins from one account to another.  These changes are documented in the ledger.

ERC-20 Tokens – In order to transfer tokens from one account to another, the sender of the transaction should approve the transfer of tokens. The owner of the token is automatically approved for those transactions. The owner can also delegate the approval of the transfer to additional entities all of which are per the smart contract protocol.  The smart contracts move funds on behalf of a user. Smart contracts power the decentralized finance (DeFi) process and also the decentralized exchanges (DEXes.  So, when these protocols are used to exchange tokens of different types (e.g., LINK for USDC token on Uniswap V3 DEX) it becomes important to avoid phishing attacks of any kind.