Pls Help! USDT and WETH tokens disappeared after swap attempt followed by MATIC token transfer

Hello,

I have been using the Metamask iPhone app as well as the browser extension for about 3-4 months.

In my iPhone wallet, about 8 days ago, I created an account and transferred 0.15 WETH and 430 USDT tokens from my browser account, on Polygon network. I then imported the browser account into my iPhone wallet.

Today, I first attempted to swap 200 USDT to WETH on my phone account. This didn’t work because I didn’t have any MATIC tokens to pay Gas fee in my phone account.

And so, I transferred some MATIC tokens from the imported browser account to my phone account, through the Metamask iPhone wallet app. Then, I attempted to use the app’s Swap option to swap some USDTs to WETH.

But this time, the app reported that I had no USDTs left in my phone account. I checked the browser account and confirmed that the USDTs were there either.

Looking at the transactions in Polygon, it looks the transferring of MATIC tokens from my imported browser account into the phone account triggered two unauthorized transactions - transferring all of my USDTs and WETHs from the phone account to some third party account on Eth mainnet address: 0x7c9554d3ccb8c42072290304096c696b5e8e7b18

Here is the address of my iPhone wallet account:

0xb4d6545BB8ad7A3BF8B8a4315Fa9A0b3f152F692

Unauthorized transaction 1: 0xdc662f8291baac7726c884d4e1a2b0add138437266aebb7668c0b7d96d63de0e

Unauthorized transaction 2:
0xe937f3082acb7965f344258886813b23f1be5bb3ee88374e73d7d2ae992fc492

I never authorized either of these transactions.

Some $860 worth USDT and WETHs seem to have disappeared from my Wallet!

Please help!!

I am extremely concerned with the safety of using MetaMask wallet right now. I never shared the secret phrases or private keys of my phone or browser accounts with anyone nor stored it on 3rd party Cloud storage.

Best,
Prax

Upon further investigation on polygonscan, I can clearly see that about 30-50 seconds after I transferred 0.3 MATIC tokens from my browser account to the phone account, two new transactions were automatically initiated from from my phone account to some unknown account: 7c9554d3ccb8c42072290304096c696b5e8e7b18.

Polygonscan is showing that my WETH and USDT tokens are still lying in this account address, with no new IN / OUT activity.

Just fyi, all these transactions / swaps were performed on Polygon network, and not the Eth mainnet. And in my first post, I mistakenly said that the unauthorized transactions went to Eth mainet. Instead, it went to the above address in Polygon network only.

Please advice what further action I could take.

Best,
Prax

More update - yesterday, I was chatting with folks on Polygon discord and they pointed out the following:

There is no history of my account approving any malicious contracts on Polygon network. I verified this by using Debank’s Profile > Approval > Polygon view for my account address: 0xb4d6545BB8ad7A3BF8B8a4315Fa9A0b3f152F692

However, a few days ago, my account did receive an airdrop of 750k tokens from what looks like a scam project (Zepe).

And this airdrop was done on a ton of other account addresses too, including the account (0x7c9554d3ccb8c42072290304096c696b5e8e7b18) to which my USDT and WETH got transferred !

A member of Polygon discord community said that the Zepe token airdrop might be responsible for the loss of funds. However, there is no evidence unless we examine the Zepe contract (0x119e2ad8f0c85c6f61afdf0df69693028cdc10be) which did the batch airdrop to my account as well as the other (recipient’s) account.

But fundamentally, I still can’t understand how can funds be withdrawn from my account without any contract approvals or leaking of the private key or the wallet’s secret phrase.

I haven’t received any help from Metamask support yet , but I am guessing that they are very heavily backlogged.

Any help or advice would be much appreciated!

Best,
Prax

Zepe token airdrop is scam. Did you try to sell it?

Check Connected Sites:

Hey @Bobby , thanks for getting back.

No, I didn’t attempt to sell that token. Infact I realized about the airdrop only after checking my wallet address in polygonscan after the loss of funds.

Since I created the account in my iPhone metamask app, I just went into “Browser” area to see if its connected to any sites. I don’t think my account is connected to any Dapps right now:

image1242×301 30.8 KB

I see there is an option to extract debug logs from Metamask iPhone wallet. I guess that may help trace the exact set of events triggered by my wallet?

Hey,

I am sorry to read your issue and I am starting to become a little worried about using Metamask.

Is your issue meanwhile solved?
Did the Metamask Support helped you?

I read a lot of “lost coins” posts that are never solved nor did a support answered.

Weird.

Cheers and good luck!

Hey @degard,

Thanks for checking!

So, Metamask support did get back to me but their instructions weren’t of much use. They just told me to check if the account address had any malicious contract approvals which could steal all tokens from the address. I had already verified that no much approvals existed on my account, using debank and a couple of other DeFi tools.

I then shared the metamask state logs with them to see if that contained any trail. But they haven’t gotten back to me with any details or insights.

And so, I then checked the state logs myself, to see if contained any history of withdrawals from my account address to the malicious address 0x7c9554d3ccb8c42072290304096c696b5e8e7b18 or the associated contract addresses.

I did not find any such evidence in the logs. So I now suspect that Metamask wallet may have archived or deleted the logs which could have contained these transactions. I asked them if there is any way to pull old or archived logs from the iPhone wallet app. To this, I haven’t received any response either.

Looks like Metamask support is either severely backlogged and/or virtually non-existent. They are not even on Discord or Telegram.

So at this point, I have stopped using Metamask completely. Its too risky since I had followed all best practices to protect my secrets and still this thing happened.

-Prax

Oh wow, that sounds very seriously!

I wanted to use MM to transfer a good bag of ETH from the ETH Mainnet into WETH on the Polygon Mainnet using the Polygon Bridge and then further to aave (save fees on the polygon mainnet).

Is there a good better alternative?

Hi @degard - I know that Coinbase Wallet supports Polygon network but not sure if it supports WETH.

@Dread - what kind of bugs, could you please elaborate, if possible? The account did receive some airdrops (which is really beyond our control) but I never approved any malicious contracts.

Don’t take dread serious.
He posted in another thread of mine (“best-practise-to-avoid-losing-tokens”) a weird message.

did you ever find out this happened? I have been losing some too on matic mainnet. Of course meta says its my fault. I do not trust the wallet now. They are not getting to anything but matic mainnet.

How can I investigate beyond polygon scan? I have the wallet address- where it went- and thats about it. Thanks

Hey @Glacierair, sorry to hear this has happened.

It is likely that your wallet has been compromised, please refer to this post here: