Losing money sucks. Misplacing your wallet during a late-night escapade at your local dive bar, getting pickpocketed on Ave A near Tompkins Square Park, or having all of your ETH and NFTs drained from your wallet. This post is about the latter, but all these things suck.
WTF is a Sweeper Bot?
A sweeper bot is a malevolent script designed to keep a watchful eye on the blockchain, detect assets being sent to a compromised wallet, and promptly "sweep" those assets away to another location. This is made possible by the bot's ability to sign transactions using the victim's private key—which is derived from the secret recovery phrase (aka seed phrase).
You can only fall victim to a sweeping attack if you share your secret recovery phrase with someone. Never share your secret recovery phrase with anyone.
In order to understand how this attack works, we'll need to have a rudimentary understanding of blockchains. Picture a blockchain as a chain of sequential blocks, with each block being a package of transactions. Now, before a transaction is officially incorporated into a block—and ultimately the blockchain—it's broadcast to the blockchain network. Here, it temporarily resides in the transaction pool, or mempool, awaiting its turn to be added to an upcoming block. Once this happens, the transaction is deemed finalized, or mined.
sign transaction from wallet -> broadcast signed transaction to network -> transaction sits in mempool -> transaction finalized and added to next block
Enter the Sweeper Bot
These bots are astute. They monitor both the transactions being broadcast, as well as the transaction pool. Upon detecting an incoming transaction to a compromised wallet, they spring into action, signing another transaction to divert those funds out of the wallet. Both the legitimate transaction and the bot's transaction are processed simultaneously. Any ETH (or other tokens) you send to your wallet will immediately be stolen by the sweeper bot.
This is troublesome, principally because humans cannot act faster than a bot. If you send 1 ETH from Coinbase to your MetaMask wallet and it doesn't show up after a few minutes, you might mistakenly attribute it to a technical glitch or a manual error on your part. You may even send another ETH or two before you realize what's really happening. And if you're thinking of salvaging your NFTs—your beautiful Philosophical Fox or coveted ENS name—think again. Without ETH in your wallet to pay for gas fees, your digital assets remain trapped in the compromised wallet.
Protecting Yourself and Fighting Back
First things first, sharing your seed phrase is akin to handing over the keys to your digital kingdom. No one needs to know it. You shouldn't even know it yourself. I couldn't tell you a single word from any of my seed phrases if you put a gun to my head—that's how it should be! I use a hot wallet (with an encrypted iCloud backup) for most of my on-chain activity, and I have a couple hardware wallets for assets that if stolen, I'd lose sleep over. If you're connecting to dApps using your mobile device, WalletConnect is a reputable open-source protocol that has garnered broad support. WalletConnect will never ask you for your secret recovery phrase.
But what if you're already ensnared in the bot's web? The mission now is to discreetly introduce ETH into our wallet to cover gas fees, thereby liberating our foxes and kitties and other assets, furry or not.
Enter the self-destructing smart contract
Sweeper bots will monitor public broadcasts and the transaction pool, but there are ways to transfer funds more discreetly, namely through internal transactions—these typically occur between smart contracts (as opposed to between human-controlled wallets) and are not recorded on the blockchain. By leveraging a smart contract to transfer funds, we might just slip under the bot's radar.
Here's an Ethereum smart contract written in Solidity that will send a specified amount of ETH to the compromised address and then self-destruct:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract SendEtherAndDestroy {
// Compromised address to receive the ETH
address payable public recipient;
// Constructor that accepts the recipient address and sends ETH to it
constructor(address payable _recipient) payable {
recipient = _recipient;
// Send the contract's balance to the recipient
recipient.transfer(msg.value);
// Destroy the contract and send any remaining ETH to the recipient
selfdestruct(recipient);
}
// Fallback function to accept ETH
receive() external payable {}
}If we're lucky, this transfer will go undetected by the sweeper bot.
Subsequently, we'll broadcast pre-signed transactions—similarly to how Taylor did in Operation: CryptoKitty Rescue—using all the ETH in our wallet. This is to prevent the bot from capitalizing on any residual ETH, potentially jeopardizing our legitimate rescue transactions.
create self-destructing smart contract -> use smart contract to transfer ETH to compromised wallet -> send assets from compromised wallet to safe wallet using all available ETH -> foxes, kitties, and ENS names are safe
Yes, we'll have to overpay dearly in gas, but it's a small price to pay for the safety of our furry friends. Stay safe out there, y'all.
- Loading comments...