Sending WETH To WETH Contract Mistake

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:52, 17 July 2023 by Azoundria (talk | contribs) (Another 30 minutes complete.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Wrapped Ethereum Graphics

A user made the mistake of sending wrapped ethereum to the wrapped ethereum smart contract, thinking it would work to unwrap it. Instead, their funds were permanently lost.

About basubadelmevt

About Wrapped Ethereum

"Edit: Full story. Sent ETH to WETH contract and got WETH back (after some googling I found this is how the contract works). Assumed it works the same way backwards and sent WETH back to the contract. No ETH back. Apparently you have to use a frontend to get the ETH back. ETH lost forever."


The Reality

TBD

What Happened

A user sent wrapped ethereum to the wrapped ethereum smart contract, expecting that it would be converted to ethereum. However, this was not the case.

Key Event Timeline - Sending WETH To WETH Contract Mistake
Date Event Description
January 29th, 2022 7:37:50 PM MST Blockchain Transaction The actual initial blockchain transaction is performed, which sends wrapped ethereum to the wrapped ethereum smart contract[1]. The end result of this transaction is that the wrapped ethereum is sitting in the smart contract's address[2].
January 29th, 2022 8:01:46 PM MST Original Reddit Post The incident is first posted to Reddit[3][4] by basubadelmevt[5]. There is just a link to the transaction[6].
January 30th, 2022 9:04:30 PM MST Incident Crossposted The incident is crossposted to the /r/SorryForYourLoss subreddit[7].
January 31st, 2022 1:38:02 AM MST Reddit Post Deleted The Reddit post was deleted sometime prior to the start of January 31st[8][9][10][11].
January 31st, 2022 12:11:58 PM MST CryptoPotato Article Published The story is shared to the CryptoPotato[10][12].
February 2nd, 2022 Repost To IFunny The Reddit post is shared to IFunny, with specific commentary on the concern over the perception of cryptocurrencies[5].

Total Amount Lost

Web3isGoingGreat estimated the loss at $510,000 USD[13].

The total amount lost has been estimated at $510,000 USD.

Immediate Reactions

"I am sharing my wallet address in case the community wants to help me remediate some of this loss. I would also be in favor of an EIP returning money to addresses who lost money because of these early mistakes. However, I can see that this can be a contentious one, so the community and the success of Ethereum should always be first."

Thanks From Original Poster

"Edit 2: Thanks strangers. I am really happy to see lots of kind hearted people in the comments and chat. This is a significant amount of money for anyone to lose and it was the case for me as well. I was under the stress of some other things in my life and made a bigger mistake by making assumptions in this wild early technology. But, I will be OK."

Ultimate Outcome

As of April 6th, 2023, the wrapped ethereum smart contract presently holds 654.29451014 wrapped ethereum, all of which is permanently lost[14].

Concern Over Negative Cryptocurrency Perception

"Edit 3: I am also sorry that this was a negative event for the perception of cryptocurrencies. The last thing I would want in this world :( A life-changing lesson for me, but definitely something to work on as a community as well."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

Ongoing Developments

TBD

Individual Prevention Policies

The primary issue was that the transaction which was sent did not perform the desired function. The situation could have been avoided through further research, and losses could have been massively reduced by testing with a smaller amount of funds prior to transferring the full amount. When transferring money in a way you haven't done before, extra caution is warranted.

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Further education about the risks of transactions and the need to perform test transactions may have prevented the situation.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

The wrapped ethereum smart contract did not include any method for retrieving tokens stuck in the contract. This could potentially have been uncovered and flagged as part of a review during early development..

All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.

An industry insurance fund could assist in the event of loss.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Greater education should make clear that test transactions need to be done before transacting with high value. The blockchain provides a number of tools such as testnets to test without any funds as stake. Most transactions can also be first tested with only a small amount of money at risk.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

An industry insurance fund could assist in some events. They may be able to provide more immediate relief than any other strategy.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Ethereum Transaction Sending WETH to WETH Contract - Etherscan (Apr 5, 2023)
  2. Screenshot Of Original Reddit Post - Reddit (Sep 17, 2022)
  3. Original Thread Now [deleted by user] - Reddit (Apr 6, 2023)
  4. Original Thread Now [deleted by user] - Reddit (Apr 5, 2023)
  5. 5.0 5.1 Tyler Glaiel - "someone lost half a million dollars because they made a small mistake while trying to do a crypto transaction." - Br.Ifunny.Co (Apr 5, 2023)
  6. Did I just lose half a million dollars by sending WETH to WETH's contract address? : ethereum (Apr 5, 2023)
  7. [$500k] Did I just lose half a million dollars by sending WETH to WETH's contract address? - Reddit (Apr 5, 2023)
  8. [deleted by user] : ethereum - Reddit (Apr 5, 2023)
  9. Did I just lose half a million dollars by sending WETH to WETH's contract address? : ethereum (Apr 5, 2023)
  10. 10.0 10.1 Ethereum Investor Loses $500,000 After Sending WETH to the WETH Contract - CryptoPotato (Apr 5, 2023)
  11. Did I just lose half a million dollars by sending WETH to WETH's contract address? - Reddit (Apr 6, 2023)
  12. Ethereum Investor Loses $500,000 After Sending WETH to WETH Address - CryptoPotato Archive (Apr 6, 2023)
  13. Trader loses $510,000 trying to convert funds between two currencies - Web3isGoingGreat (Apr 5, 2023)
  14. Wrapped Ethereum Smart Contract - Etherscan (Apr 6, 2023)

Cite error: <ref> tag with name "newsdotbitcoin-10665" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Sending_WETH_To_WETH_Contract_Mistake&oldid=4826"