$3.047M USDC Drained in Fake Request Finance Contract Attack on Safe

A recent phishing attack has led to the loss of $3.047 million USDC. The exploit targeted a Safe multisignature wallet. While using a fake Request Finance contract. Investigators say the attackers planned the scheme carefully. They executed it in a way that looked almost authorized. The victim was using a 2-of-4 Safe multi-signature wallet. According to Scam Sniffer, the transaction appeared to be processed through the Request Finance app interface. But hidden inside the batch request was an approval of a malicious contract.

The fake contract address was nearly identical to the legitimate one. With only subtle differences in the middle characters. Both started and ended with the same character. Which makes it difficult to notice at a glance. To increase credibility, the attackers even verified the malicious contract on Etherscan. This extra step made it look authentic to anyone reviewing it casually. Once the approval was granted. The attackers immediately drained $3.047 million USDC. The stolen funds were then swapped for ETH. Then, it quickly moved into Tornado Cash, making it difficult to trace.

A Carefully Planned Timeline

The timeline of the attack shows clear preparation. Thirteen days before the theft, the attackers deployed the fake Request Finance contract. While they carried out multiple “batchPayments” transactions to make the contract look active and trustworthy. By the time the victim interacted with it. The contract appeared to have a normal history of usage. When the victim used the Request Finance app, the attackers slipped the hidden approval into the batch transaction. Once the transaction was signed, the exploit was complete.

Response from Request Finance

Request Finance acknowledged the incident and issued a statement warning users. The company confirmed that a malicious actor had deployed a lookalike of its Batch Payment contract. According to the statement, only one customer was affected. The vulnerability has since been fixed. But the exact method used to inject the malicious approval remains unclear. Analysts believe possible attack vectors could include a vulnerability in the app itself. Also, malware or browser extensions modifying transactions, or even a compromised frontend or DNS hijack. Other forms of code injection cannot be ruled out.

Security Concerns Highlighted

The case shows the growing trend of scams in the crypto industry. Attackers are no longer relying on basic phishing links or obvious tricks. Instead, they are deploying verified contracts, mimicking real services, and hiding malicious actions inside complex transactions. Batch transactions, which are designed to simplify payments, can also create opportunities for attackers. Because they group multiple actions. It becomes harder for users to review every approval or transfer. This obscurity allows attackers to slip in fraudulent operations. Without being noticed until it is too late.

Lessons for the Community

Experts stress the need for extreme caution when using multi-send. Or even using batch payment features. Every contract approval should be reviewed character by character to avoid confusion with similar looking addresses. Even a single overlooked detail can result in major losses, as seen in this case. Security firms also recommend that users minimize the use of browser extensions. They can also check unverified apps connected to wallets. 

Keeping software updated, using hardware wallets for approvals, and cross-checking contract addresses through trusted sources. These can reduce the risk of such exploits. The incident is a reminder to strengthen user protections for platforms. Enhanced warnings, automatic flagging of lookalike contracts, and improved transaction visibility could help prevent similar attacks.

A Costly Reminder

The $3.047 million loss is another reminder of the high stakes in decentralized finance. While Safe and Request Finance remain popular tools. The attackers are increasingly exploiting their complexity. For users, caution is the only real defense. In this case, the attackers relied on subtlety, preparation, and a convincing fake. Unfortunately, that was enough to trick even a multi-signature setup into giving access. The incident shows that in crypto, every click and every approval matters.