SlowMist Unveiling how fake recharge attacks break through the layered defenses of exchanges

SlowMist reveals how fake recharge attacks penetrate exchange's layered defenses


A fake deposit attack refers to attackers exploiting vulnerabilities or system errors in the process of depositing on an exchange, sending forged transaction information to the exchange’s wallet address. The exchange mistakenly recognizes these forged transaction information as genuine deposit requests and adds the corresponding digital assets or currencies to the attacker’s account. By utilizing this method, attackers can obtain unpaid digital assets, resulting in asset loss for the exchange.

This article aims to delve into how fake deposit attacks bypass the defense mechanisms of exchanges. We will analyze the principles behind fake deposit attacks, uncover the vulnerabilities and strategies utilized by attackers. Additionally, we will use examples to analyze fake deposit attacks in order to better understand the attack methods and their impacts. Furthermore, we will discuss emergency measures and preventive measures that exchanges can take to counter fake deposit attacks, providing recommendations for protecting assets and dealing with similar attacks.

Analysis of Deposit Principles

Before understanding fake deposits, we need to first understand the deposit principles of exchanges.

A typical process is as follows:

1. Wallet Address Generation

Exchanges allocate a unique wallet address to each user for receiving deposits. These addresses are usually generated by the exchange’s system. When users make deposits, they need to send the digital assets to a specific wallet address in the exchange account.

2. Blockchain Ledger Scanning

The exchange’s nodes synchronize with other nodes in the blockchain network to obtain the latest blockchain status and transaction information. When the exchange node receives a new block, it extracts the deposit transaction ID and corresponding amount from the transaction content contained in the block or from the transaction execution events triggered by the block, and adds them to the pending deposit list.

3. Confirmation of Deposit

Exchanges usually require a certain number of confirmations in the blockchain network for a transaction to be considered valid. Confirmation means that the transaction is referenced by a certain number of blocks and is verified and confirmed by other miners. The number of confirmations set by the exchange may vary depending on different digital assets and networks.

As shown in the diagram:

(Fake deposit attacks occur in steps 5 and 6)

Fake Deposit Attack Patterns

Exchanges are prime targets for hacker attacks, so exchanges usually place their servers behind multiple layers of defense systems, and even offline custodianship for core fund management services. However, due to the blockchain system’s requirement for data integrity, malicious transactions are not intercepted by peripheral security systems.

It should be noted that fake deposit attacks are not vulnerabilities of the blockchain itself, but rather attacks that exploit certain characteristics of the blockchain to construct special transactions. These malicious transactions make the exchange mistakenly recognize them as genuine deposit requests or process the same deposit request multiple times. After extensive practical experience, the SlowMist Security Team has summarized several common methods used in fake deposit attacks.

Since 2018, the SlowMist Security Team has disclosed multiple fake recharge attacks, including:

  • USDT Fake Transfer Security Risk Analysis

  • EOS Fake Recharge (hard_fail status attack) Red Alert Details Disclosure and Repair Plan

  • Ethereum Token “Fake Recharge” Vulnerability Details Disclosure and Repair Plan

  • Bitcoin RBF Fake Recharge Risk Analysis

In addition to these publicly disclosed fake recharge attacks, there are also several classic attack methods that we have not publicly disclosed, as well as some universal attack methods. For example:

  • Bitcoin Multi-Signature Fake Recharge

  • Ripple Partial Payment Fake Recharge

  • Filecoin Double Spending Fake Recharge

  • TON Bounce Fake Recharge

If you want to learn more details, please feel free to contact us for in-depth discussions.

Case Study: TON Bounce Fake Recharge

Almost all blockchains have fake recharge issues, but some attacks are easy to avoid while others require in-depth understanding of the characteristics of the blockchain to prevent harm.

Taking TON’s fake recharge as an example, we will show you how cunning attackers exploit TON’s characteristics to attack exchanges.

TON (The Open Network) is a blockchain project initiated by the well-known communication software Telegram, which supports deploying smart contracts on users’ accounts.

When an exchange integrates TON recharge, as described earlier, it first generates a recharge address for the user, and then the user transfers their assets to the recharge address, and finally confirms the deposit.

How does the exchange confirm that a transaction belongs to its user? Let’s look at a normal transfer through the RPC interface:

Usually, exchanges judge whether the destination in_msg is the user’s recharge address. If it is, they credit the amount (converted according to the precision) to the user’s account. But is this secure?

TON transactions have a feature that almost all internal messages sent between smart contracts should be bouncy, meaning they should set their bounce flag. This way, if the target smart contract does not exist or throws an unhandled exception when processing the message, the message will “bounce” back and carry the balance of the original value (minus all message transfers and gas fees).

In other words, if a malicious attacker transfers funds to an account that has not deployed a contract by setting the bounce flag, the recharge amount will be bounced back to the original account after deducting the fees. The exchange detects the user’s recharge record, but did not expect the recharged coins to be “bounced” back to the attacker’s account.

Let’s take a look at this transaction. Comparing it with a normal transaction, we can see that there is an additional out_msg, which is the operation of bouncing the funds back to the original account.

If an exchange only checks the in_msg, it will mistakenly credit the attacker’s account, causing a loss of platform assets.

Best Practices to Prevent Fake Deposit Attacks

Some basic strategies to prevent fake deposit attacks include:

1. Multiple Confirmation Mechanism: Set multiple confirmation requirements for deposits to ensure that transactions are considered valid only after receiving sufficient confirmations on the blockchain. The number of confirmations should be set based on the security of different digital assets and the confirmation speed of the blockchain;

2. Rigorous Transaction Matching: When filtering user transactions from the blockchain, only transactions that fully match the normal transfer pattern can be automatically set as deposits, and the balance change should also be checked;

3. Risk Control System: Establish a comprehensive risk control system to monitor and detect abnormal transaction activities. This system can identify potential risks and abnormal behaviors by analyzing deposit patterns, transaction frequencies, transaction sizes, and other factors;

4. Manual Review: For large amounts or high-risk transactions, additional reviews should be conducted through manual review mechanisms. Manual review can increase the credibility of transactions, identify abnormal transactions, and prevent malicious deposits;

5. API Security: Authenticate and authorize external API interfaces to avoid unauthorized access and potential vulnerabilities. Regularly review the security of API interfaces and perform timely security updates and fixes;

6. Withdrawal Restrictions: After a deposit occurs, temporarily restrict users from withdrawing the deposited assets. This allows the exchange enough time to confirm the validity of the deposit and prevent potential fake deposit attacks;

7. Security Updates: Timely update exchange software and systems to fix potential security vulnerabilities. Continuously monitor the security status of the exchange and collaborate with cybersecurity experts to conduct regular security audits and penetration testing.

For specific blockchain-based fake deposit prevention, it is necessary to read the official documentation and understand the characteristics present in transactions.

Badwhale Fake Deposit Detection System

In their long-term practice of attack and defense, the SlowMist Security Team has developed the Badwhale fake deposit testing system specifically for digital asset management platforms. This system aims to help them detect and evaluate their ability to prevent fake deposit attacks, optimize their defense mechanisms, and ensure the security of user assets and the reliability of digital asset management platforms.

Badwhale is an exclusive commercial system developed by the SlowMist Security Team that has accumulated years of experience. It has been serving dozens of platforms for many years, effectively avoiding the risk of fake deposits amounting to billions of dollars.

Key Features:

1. Simulated Fake Deposit Attack: Badwhale is capable of simulating various types of fake deposit attacks and automatically sending false deposit requests to the tested digital asset management platform. This helps evaluate the weaknesses of the digital asset management platform, identify potential vulnerabilities, and security risks;

2. Diverse Testing Scenarios: The system provides diverse testing scenarios and attack modes to comprehensively test the fake deposit defense of the digital asset management platform based on actual situations;

3. High Scalability: Badwhale is designed as a highly scalable testing system, supporting testing for different digital asset management platforms and blockchain platforms, and can flexibly adapt to the requirements of different system architectures and technical environments.

Badwhale currently supports fake deposit testing for hundreds of public chains and tens of thousands of tokens, including:

  • Bitcoin Families (BTC/LTC/DOGE/QTUM…)

  • BitcoinCash

  • Ethereum Families 


  • ERC20 Tokens (USDT…)

  • Ethereum L2 (ARB/OP/METIS…)

  • Polygon

  • Polygon Tokens

  • Cosmos Families (ATOM/LUNA/KAVA/IRIS/OSMO…)

  • EOS Families and EOS Tokens (EOS/WAX/XPR/FIO/TLOS…)

  • Ripple

  • Flow

  • Aptos

  • Solana

  • Solana SPL-Tokens

  • Conflux

  • Polkadot Families (DOT/ASTR/PARA/MOVR/GLMR…)

  • Tron

  • Filecoin

  • Ton

  • Mina

  • Sui

  • Ordinals (ORDI…)

With the powerful features of Badwhale, digital asset management platforms can conduct comprehensive tests on fake deposit defense, understand their performance when facing fake deposit attacks, optimize their defense mechanisms, and enhance the security of user assets. The introduction of Badwhale will help digital asset management platforms strengthen security protection, improve their ability to resist fake deposit attacks, and ensure the reliability and user trustworthiness of digital asset transactions.


By thoroughly studying the breakthrough methods of fake deposit attacks, we can better understand the importance of digital asset management platforms in protecting user assets and maintaining security. Only by enhancing security defense measures, continuously monitoring vulnerabilities, and taking appropriate countermeasures can digital asset management platforms effectively respond to fake deposit attacks and other security threats, ensuring the credibility and reliability of digital asset transactions.