Angel Drainer targets restaking platforms with new attack vector, Blokcaid warns


Angel Drainer targets restaking platforms with new attack vector, Blokcaid warns

Phishing group Angel Drainer has started using a new attack vector, targeting restaking platforms, analysts at Blockaid alarm.

Blockaid’s analysts have discovered a new attack vector performed by the Angel Drainer group, using a protocol to carry out an approval farming attack via the “queueWithdrawal” function. In an X thread on Feb. 1, Blockaid shared affected wallet addresses, adding it is implementing a fix to safeguard users.

⚠️ Emerging web3 attack vector: Restake Farming ⚠️

Angel Drainer group has introduced a new attack vector utilizing a protocol to execute a novel form of approval farming attack through the ‘queueWithdrawal’ mechanism.


— Blockaid (@blockaid_) February 1, 2024

Restaking rewards, introduced by EigenLayer, provide Ethereum (ETH) stakers with new tokens. These tokens can be restaked in other decentralized applications, preserving the option to participate in protocols’ governance.

You might also like: Near Foundation and Eigen Labs partner to enhance Ethereum rollups

In the latest innovative attack, Angel Drainer has apparently made a new approval farming method through the “queueWithdrawal” function of the EigenLayer platform, approving a malicious “withdrawer” to withdraw staking rewards to the attacker’s address, the firm says.

“Unlike the regular ERC20 ‘approve’ method, this is a special kind of approval that is needed due to the nature of Ethereum staking.”


Blockaid emphasizes that this new attack vector involves a distinctive approval method, leading to most security providers or internal security tools not parsing and validating this approval type. To further elude detection, the attacker employs the so-called “CREATE2” mechanism to approve withdrawals to an empty address, as revealed by Blockaid.

The firm has notified the EigenLayer team about the “ongoing attack.” In a separate X post, EigenLayer confirmed the attack, urging users to stay vigilant amidst the increasing phishing attacks targeting its users.


Leave A Reply

Your email address will not be published.