Updated: Jul 28
Disclaimer: The opinions expressed in this article are those of the author and do not reflect the opinions or views of GASO and its affiliates.
Recently, I crafted an article for GASO which described a new kind of Shazhupan / Pig-Butchering Scam / Crypto-Romance Scam on our radar utilizing dApps, or decentralized Apps. In essence, the scammer, who attempts to position himself or herself as the victim’s love interest, introduces the concept of “crypto mining” through a fraudulent platform they will allegedly be investing in with incredible success. The platform initializes what are called “smart contracts,” which can be, when exploited, an infinitely long subscription that ends only when the user’s wallet is empty, or the user notices and cancels the contract elsewhere. Through our own intel, we were made aware that scam groups usher victims to download the app “Coinbase Wallet” in order to execute this scam.
While speaking with one of these “crypto mining” scammers, I downloaded Coinbase Wallet and visited the scam site, which as a decentralized app must be opened in a wallet app in order to initialize transactions. With no money in my wallet, I pressed a button from within the Coinbase Wallet browser to join the mining pool, and just like that the scam website attempted to initialize the smart contract. Since I had no money in my wallet, I was informed that I didn’t have enough money to join the pool. However, if I did have the required funds, a smart contract would have been authorized by Coinbase Wallet without my informed consent, leading me into one of these never-ending subscriptions that could drain my wallet within a year, a month, or even a day. This clearly is a just cause for alarm.
Terrified, I immediately penned a scathing rebuke which denounced the app’s lack of forewarning as a “security vulnerability.” A vulnerability is any flaw in an automated system that a bad actor can exploit at a risk to others. Coinbase must hand over an authentication key to the scam dApp in order to initiate the contract, yet makes no mention of this to the user, nor asks the user to affirm their consent to hand over this authentication key. TrustWallet and MetaMask, two other crypto wallet apps, warn users when entering flagged sites and ask users to confirm if they want to initiate a transaction. This is cradled with a warning that bad actors can initiate bad trades such as infinitely long smart contracts which drain user wallets (as this scam does). Coinbase Wallet implements none of these, putting users at risk of engaging in transactions or smart contracts unknowingly. This is a security risk for all unseasoned crypto wallet owners and by their negligence, Coinbase becomes an implicit accomplice in the crime.
It is an unfathomably huge oversight not to ask a user to authenticate a purchase, especially on a third-party app. With a little research, I discovered this kind of smart contract scam has been reported by MetaMask as far back as 2018, so these scams may be older than Coinbase Wallet itself. I don’t know if Coinbase Wallet is working under an incredibly small development team, or if they have a lack of UX designers or unit testing engineers to ensure the app is safe and real-world ready. Coinbase Wallet is not ready for deployment and should not be downloaded or even present on the App store until such safety measures have been considered and implemented. Not only does this vulnerability put users in danger, it also risks Coinbase’s reputation and trust among their user base. These measures are so easy to implement but are simply not there.
After some consideration, the original language I used labeling Coinbase Wallet’s flaw as a “security vulnerability” was rescinded by the GASO team over concerns that I would be causing unnecessary alarm. However, I believe that alarm is essential in this case, because until the flaw is fixed, Coinbase leaves customers vulnerable, especially those new to crypto investing.
If no security measures are in place to protect users, what is the incentive of using the app’s dApp feature? Any dApp accessed from the browser bar within the app could be a scam. And Coinbase leaves users a click of a button away from exploitation in the mine field of fraudulent dApps.