A gas token scam has resurfaced, targeting users of Binance Smart Chain (BSC), according to security researchers. Gas tokens are designed to help users save on gas fees, but they have become the focus of malicious actors seeking to exploit vulnerabilities. The recent Multichain exploit prompted various security tools to advise users to revoke any unsolicited transactions, creating an opportunity for hackers to take advantage of the situation.
The gas token scam emerged as developers urged users to revoke all contract approvals related to the compromised Multichain bridge. Prompted by these warnings, at least one scammer deployed a fake ERC-20 token on BSC to steal funds when users revoked the contract. The scam involved minting CHI, a gas token developed by the team behind the 1inch DeFi protocol, and transferring it to another address. CHI was originally created to allow Ethereum users to lock in low gas prices, but it became redundant on the Ethereum mainnet in 2021 due to an update that voided the refund feature it relied on.
While Ethereum eliminated the refund mechanism for gas tokens, some blockchains, including BSC, still support these tokens. This vulnerability has been exploited before on BSC, as identified by BlockSec in January. Until the refund mechanism is disabled, malicious actors are likely to continue exploiting gas tokens. However, developers of security tools such as Revoke Cash and Rabby have been proactive in responding to the threat. They have implemented features to protect users, such as disabling revoking approvals when gas fees exceed a certain threshold.
It is important for BSC users to exercise caution and remain vigilant against potential scams. Staying informed about the latest security measures and updates from trusted sources can help mitigate the risk of falling victim to such fraudulent activities.