Money transfer, virtual currency, or money service -- Other transaction problem -- Complaint #6223944

Complaint Overview

Complaint ID: 6223944

Company: Circle Internet Financial

Product: Money transfer, virtual currency, or money service

Sub-Product: Virtual currency

Issue: Other transaction problem

State: California

ZIP Code: 92883

Date Received: 2022-11-19T12:00:00-05:00

Date Sent to Company: 2022-12-12T12:00:00-05:00

Company Response: Closed with explanation

Timely Response: No

Consumer Disputed: N/A

Submitted Via: Web

Consumer Narrative

Company Involved : Circle Payments, LLC Amount Involved {$150000.00} Date : XX/XX/2022 Actions Taken By Me : Reached out to Circle support via XXXX XXXX on XX/XX/XXXX and submitted email to Circle support on XX/XX/XXXX Response : No acknowledgment of complaint was received and no action has been taken Description of Event : I landed on a phishing website and was presented with a signature request for my XXXX wallet. XXXX presented this signature request with no warnings, disclosures or descriptions of what signing this request could do. Usually XXXX sites use a signature request for authentication purposes and signing a request presents no risk for users to have their funds transferred from their XXXX wallet. If there are any risks or possibility for fund transfer to occur, XXXX will display a warning or notification. When landing on the phishing website, XXXX presented me with a signature request with no warnings or disclosures that any money transactions could occur. It was presented as a mundane signature request with no dangers associated with it. However, when signing the signature request, a malicious smart contract was able to change the permissions of my digital wallet and transfer out all my XXXX out of my wallet without notification or confirmation. XXXX is a digital currency that is " regulated as a form of stored value or prepaid access under the laws governing money transmission ( or the statutory equivalent ) in the various U.S. states and territories '' under XXXX 's Terms of Service ( https : //www.circle.com/en/legal/usdc-terms ). In California, Circle Payments, LLC is licensed as a money transmitter ( NMLS ID : XXXX ; License Number XXXX ). The underlying XXXX XXXX contract that was created by Circle Payments, LLC had loopholes to allow the transfer of XXXX from a user 's wallet without any disclosures or confirmation from a user. I do not know whether this was intended or done by bad software design. I do believe that these backdoor loopholes were created to facilitate the trading of XXXX coins for other digital currencies on XXXX websites. However, this loophole created a security flaw that was easily exploited by malicious attackers and nothing has XXXX done to warn users or update the smart contract to make XXXX transactions more secure, follow money transmission laws, or comply with the Electronic Fund Transfer Act. I had {$150000.00} XXXX in my XXXX wallet that was transferred out without any type of disclosure of confirmation. Under the Electronic Fund Transfer Act, required disclosures must be clear and readily understandable, in writing, and in a form the consumer may keep. No disclosures were made to the consumer at any point in time, including at the time of transfer. No permission was given by the user for the transfer of XXXX and yet the transfer was made anyway. The functions within the XXXX smart contract ( https : XXXX # writeProxyContract ) that allowed this malicious behavior are the permit and transerFrom functions. These 2 functions allow XXXX sites to show a signature request that is disguised as a mundane authentication signature with no warnings, descriptions, or disclosures of what could potentially happen if it is signed. When signed, the attacker can then use a malicious smart contract to change the permissions of a victim 's wallet and " Approve Infinite USDC ''. Then the smart contract can use the transferFrom function to transfer all XXXX from the victim 's wallet to the attacker 's without notification, disclosure or confirmation of the fund transfer. 3 months before my incident, another incident occurred where a XXXX user lost almost {$500000.00} XXXX from the same exploit. And a well known hacker has been using this exploit to steal over {$3.00} XXXX worth of digital assets from victims. XXXX Payments, XXXX has been complicit in allowing these thefts to happen by ignoring complaints, failing to warn users, and refusing to update their smart contract. They are failing to protect its users. I have included a screenshot of a signature request that when signed, will allow a malicious user/smart contract to change the permissions of a users wallet and transfer XXXX out of their wallet without disclosure or confirmation from the user. I have also included a screenshot of a traditional ethereum transfer transaction that shows the amount being transferred along with a " confirm '' and " reject '' buttons. This illustrates the stark difference between these two types of notifications and confirmations. The first has no disclosures, descriptions of fund transfers, or " confirm '' button, yet it will allow the transfer of all of a user 's XXXX away from their wallet. Below are the blockchain transactions that XXXX facilitated that allowed the transfer of {$150000.00} USDC without disclosure or confirmation : Txn that gives permission to malicious user to change permissions on user 's wallet : https : XXXX Txn that transfers funds to a smart contract without the user 's confirmation : https : XXXX

Frequently Asked Questions

Disclaimer

This analysis is AI-generated based on publicly available CFPB complaint data. It does not constitute financial or legal advice.

Related Pages

• Circle Internet Financial Company Profile
• Money transfer, virtual currency, or money service Complaints
• Other transaction problem Complaints
• California Complaints
• Company Rankings
• Company Directory
• Search Complaints