Ethereum Phishing Detection on bytetrade.com - Please help us to fix it (whitelist-request)

[fanshen0407]

Dear Teams, thank you for your review. We are the developer team of the https://www.bytetrade.com. There are "Ethereum Phishing Detection" sign on our website and we certainly do not have any phishing or scam issue.

Our business is to offer the white label decentralized exchange development solutions to our clients. The bytetrade.com is an official demo site. On our decentralized exchange solution, users' assets will protected by smart contract, we do not hold users' assets.

Now the phishing detection sign let our clients very nervous and I couldn't find more information about this situation, so please help us to fix this. If you need any assistance, please let me know. My email is fanshen@bytetrade.io.

Many thanks.

[fanshen0407]

Hi Teams

We found that the domain was blocked because:

Fake DEX phishing for secrets with POST //p4.bytetrade.com/bittrade/v1/me?cmd=getUserInviter&userid=my_mnemonic or Fake DEX phishing for secrets with POST //p4.bytetrade.com/bittrade/v1/me?cmd=getUserInviter&userid=my_private_key

This API is used to get the user's referrer information and does not including the user's Private Key or Mnemonics

Please let me explain how it works by this example, all these information are recorded on the blockchain:

Take the user "rhonne21" as an example: https://explorer.bytetrade.com/address.html?userId=rhonne21&type=transaction

This is a new user who registered yesterday. He is from this app: ByteHub (https://play.google.com/store/apps/details?id=com.bytetrade.bytehub) The decentralized crypto wallet which integrate the ByteTrade decentralized exchange.

https://explorer.bytetrade.com/transaction-info.html?id=246c2661aad4b203425f84c6fb861eed36c8fb11&blockType=3 The above transaction recorded the registration operation. As you can see, the referrer is bytehub_account.

The user deposited 0.005 BTC: https://explorer.bytetrade.com/transaction-info.html?id=d391b021c9eef30ca637a8118d0781344bdb17e9&blockType=1

Then he places 2 orders, Sells BTC to USDT, and buy ETH with USDT: https://explorer.bytetrade.com/transaction-info.html?id=afd4c13a455edf9ad9d52b8a2e2c9e8bca07f803&blockType=2 https://explorer.bytetrade.com/transaction-info.html?id=36353babdfcda9c7fcac1f6eeb6b05b678998a9d&blockType=1

And he submit a withdrawal: https://explorer.bytetrade.com/transaction-info.html?id=00d64050cf1e3e0b5ec0e0f0c31d93be23ad6373&blockType=1

The Ethereum transaction of this withdrawal is: https://etherscan.io/tx/0xe74bc8928df04692032a0e50fbc851601a15a197f3afe1a188e30378e283812f

In the above process, the website will request the referrer information though: /p4.bytetrade.com/bittrade/v1/me?cmd=getUserInviter&userid, and pack this information into the transaction, so ByteTrade blockchain be able to give some commission to the referrer.

[fanshen0407]

We found # 3619 (https://github.com/MetaMask/eth-phishing-detect/pull/3619)

Also mentioned https://urlscan.io/result/4369c122-ce6c-4a33-90d7-a0b2047b183b

The relevant descriptions are: This website contacted 3 IPs in 2 countries across 2 domains to perform 37 HTTP transactions. The main IP is 52.3.137.91, located in Ashburn, United States and belongs to AMAZON-AES, US. The main domain is www.bytetrade.io. TLS certificate: Issued by Sectigo RSA Domain Validation Secure ... on January 10th 2020. Valid for: a year. The main domain was scanned 3 times on urlscan.io 3 structurally similar pages on different IPs, domains and ASNs found

1) ByteTrade is a decentralized value exchange network. We released API in cooperation with CCXT (https://github.com/ccxt/ccxt) earlier this year, and you can see that we are CCXT Certified Cryptocurrency Exchanges.

2) We noticed that our customer Infinivi has also been added to the blacklist. In order to improve the liquidity of decentralized exchanges, we also provide white label decentralized exchange services. (Https://www.bytebulls.com/) This will cause the structure of most customers' web pages to be similar.

3) Witness nodes are distributed in 11 AWS server rooms around the world. Generally, users will deploy websites in different regions according to the demands, and let the websites access the nearest witness node. But at the same time, some services are only available in a single server, which is why the website requests 3 IPs and multiple countries.

4) Our colleague reviewed the front-end code and confirmed that the interface p4.bytetrade.io/bittrade/v1/me?channel=infinivi&timestamp=1580244325033&cmd=getUserInviter&userid= does not get the user's private key and mnemonic. Userid feature is the same as the EOS chain and Bitshares chain, the information is public on the blockchain, and will not cause additional information leakage.

5) The user's key is encrypted and stored locally in the user's browser, and can only be loaded back into memory to sign the transaction only after the user enters the password.

6) If we have not noticed the problem, please also give us more detailed description, and we can rectify accordingly.

[409H]

The userID is the users secret when importing their account via mnemonic phrase or private key. Please see https://www.youtube.com/watch?v=hcIdnu86GSA&feature=youtu.be

This warrants the blacklist as per What reasons do we blacklist a website for?

[fanshen0407]

Hi, @409H Thank you very much for your work. This is a huge mistake in our work, which causes security risks.

Please let me explain the purpose of this API:

• We are different from Bitcoin or Ethereum, a ByteTrade account is composed of mnemonic and userid. This we borrowed from BitShares. The user can create an account on the btyetrade.com website and export it, then the user will get: a) The 13 words which consist of 12 Mnemonics and 1 userid; b) The Private Key

  The 12 mnemonics can generate the unique private key and address. The address can control the account where the userid is located. Address and account have a many-to-one relationship.

• When the user wants to import account. He needs to: a) Input 12 mnemonics and 1 userid, or he can b) Input the private key and 1 userid;

  Both the mnemonic and the private key are converted into addresses on the front end. Then the website will get the user's address via this API: https://p4.bytetrade.com/bittrade/BlockServlet?cmd=users&userid=Tushan.

  If the userid returned by this API is the same as the userid entered by the user, and the address is the same as the address generated by the user's mnemonic/private key, then the website will agree to import.

• In the video, the placeholder is "Input the mnemonics and account name separated by space" and because you inputted a private key and no userid, then you can saw the prompt was "mnemonics length error"

• As shown in the picture, our front-end engineer made a mistake: No return was performed after rejection, resulting in subsequent code still being executed.

  

  In addition, this code has a big problem in the value verification. We have launched a simple fix version on the https://www.infinivi.io/ and working on the further refactoring. In order for you to reproduce the problem, we have not updated the bytetrade.com. We recorded a video to reproduce the problem: https://youtu.be/5FP_SvAfk-Q

• We sincerely hope you can understand it as a program bug, not a fraud, thank you.

• We provide a set of mnemonics and userid for you to test. You can also choose to create an account and export them to test. The test account is:

  a) Mnemonics and userid:
  rubber dune add require spend tornado weird sausage elite sponsor relax nephew testaccount1234
  
  b) Private key and userid：
  9a19d03632f2d8d81e553a9c77d2bf24d12525c1322d1a8147bad1e8f249fc13 testaccount1234

• After you verify, we will update the website of bytetrade.com.

Many thanks.

[fanshen0407]

@409H I hope this message finds you well. If there is any information you need from us, please let me know, I will reply as soon as possible.

We submitted a pr https://github.com/MetaMask/eth-phishing-detect/pull/3632 If you could merge it that would be great.

[fanshen0407]

@409H We noticed that #3623 is conflicted with the existing code, we submitted a new pr, hoping to add bytetrade.com and bytetrade.io to the white list.

If you have any questions or need more information, please let me know.

Many thanks

[fanshen0407]

Hi @409H

Hope you doing well.

May I know any progress on the whitelist-request issue? There were more than 23 days, we provided all the information we had and still don't get any response. May I know what's your concerned about and how do I do to solve this situation?

And please merge this request, thank you. https://github.com/MetaMask/eth-phishing-detect/pull/3693

[fanshen0407]

@409H

Hope this message finds you well.

Any progress on our issue? We still waiting for your reply. Do you need any information from us?

Thank you.

[fanshen0407]

@409H

Hi, we have fixed the issue on bytetrade.com and infinivi.io, please review again.

Many thanks.

[trn1ty]

Continued in #7351.