Scams are a fact of life; if someone owns something of any value, then at some point, someone will covet that asset and try and take it off of them. The WAX blockchain is no different; however, a recent change by AtomicHub has made a particular class of scams easier.
Users of the WAX blockchain refer to this as a "mirror bot" or "copy bot" attack; however, the MITRE ATT&CK Framework would likely consider this a Phishing Technique (T1566):
All forms of phishing are electronically delivered social engineering.
What do all of these words mean?
I use some technical terminology that may make this article harder to read, so I have written a companion article with just steps to protect yourself as a reference.
- WAX - the Worldwide Asset Exchange blockchain where I have observed this bot operating.
- Mirror Bot / AtomicAssets Trade Phishing - these terms are effectively interchangeable, "Mirror Bot" is the colloquial description of AtomicAssets Trade Phishing.
- Bad actor - a user of the blockchain who, with malicious intent, attempts to scam NFTs from a target.
- AtomicMarket - the WAX/EOS Smart Contract responsible for announcing market listings, including buy and sell orders on the market.
- AtomicAssets - the WAX/EOS Smart Contract responsible for on-chain NFTs and peer-to-peer trade offers.
- AtomicHub - the dapp hosted on AtomicHub.io as an interface to the AtomicMarket, AtomicAssets and Atomic APIs.
- Back Token Trade is a trade where a token has WAX tokens attached to it that the owner can redeem by burning the NFT.
How does an AtomicAssets Trade Phishing attack work?
At a very high level, the technique has three stages:
- The bad actor will watch the blockchain for trade offers with a relatively high value, either offered by back token or for some other worthless NFT - example of a legitmate trade.
- Issue a new trade for the same assets with another worthless token (i.e. a value of 0.01 WAX or less) - example of a mirror trade: #1, #2.
- The bad actor expects the target not to notice the mirror trade and accept the trade offer from the bad actor instead of the scheduled party.
It would be possible for the attacker to complete each of these steps manually. However, some autonomous agent (i.e. a bot) is likely programmatically filtering messages and creating offers.
The bots appear to use the following text in many of their trades.
Click on the ACCEPT button to start your trade.
In some cases, the bot adds additional text, such as:
You've been offered 0 WAX ($0)
This common programming error further led me to believe this bot was doing some calculations and rounding down to 0.
Why is this now easier on AtomicHub?
AtomicHub changed its User Experience to remove the reference to WAX backed against a NFT. Unfortunately, this change makes it impossible to differentiate between a Back Token Trade and a scam trade for a worthless NFT.
This change is entirely intentional, of course. Back token trades are a common way of undertaking high-value trades on the WAX blockchain as they circumvent the fees applied by the Tokenomics, Collection and Market.
It's not in the interest of AtomicHub to make it safe and easy to complete back-token trades, as doing so would remove some revenue earned through maker/taker market sales. Therefore this functionality is intentional, and not considered an exploit in AtomicHub.
How can I protect myself from these scams?
First and foremost, it's essential to recognise that if you accept an offer, neither AtomicHub nor "WAX" can reverse the transaction; thus, checking trades carefully before you accept them is critical.
Due to AtomicHub's UX change, you need to dig a little instead of accepting from this page:
First click on the token you are receiving, and scroll down to the History section, click on the "Logs" tab and look for logbackasset:
It's also possible to check the asset on NeftyBlocks by taking the AssetID out of the URI:
https://wax.atomichub.io/explorer/asset/1099589082405
↑ ASSET ID ↑
And paste it at the end of the following Nefty Blocks URI:
https://neftyblocks.com/assets/{{ASSET ID}}
You can then see "Backed Tokens" as one of the properties on the NFT.
Conclusion
AtomicHub's change has made it harder to validate a back token trade, however with some knowledge we can continue participating in the WAX ecosystem using back token trades.