Threat actors have exploited Create2 to establish new contract addresses meant to evade wallet security alerts and store stolen cryptocurrency assets, with one of the victims losing $927,000 worth of GMX after signing a contract that facilitated asset transfers to a pre-calculated address, according to a report from Scam Sniffer. Meanwhile, other intrusions involved the exploitation of Create2 to enable address poisoning, or the creation of malicious addresses resembling those that are owned by the recipient.
Address poisoning involving Create2 has resulted in the theft of almost $3 million from 11 victims since August, noted researchers.
The findings come after the accidental delivery of $20 million by a Binance operator to scammers using address poisoning tactics in August, which was eventually averted.