Recently, many users have reported that their wallets automatically transfer funds, but every time the transfer amount is 0 USDT, they are very alarmed and ask us if their wallets have been stolen.
In fact, this is a very common scam where attackers take advantage of the inherent vulnerability of the EVM token contract to make malicious transfers. There is no need to panic, your wallet is still safe, just ignore it.
For example, after victim A sends 500 USDC to B in a normal transaction, he will receive 0 USDC from C (the hacker) after a while, and at the same time, user A himself will uncontrollably transfer 0 USDC to C in the same transaction hash, realizing a 0 USDC transfer.
The reason for this is that the TransferFrom function of the token contract does not force the authorized transfer amount to be greater than 0, so it is possible to initiate a transfer of 0 USDC from any user account to an unauthorized account without failure. Malicious attackers take advantage of this condition to continuously initiate TransferFrom operations against active users on the chain in order to trigger transfer events.
Such attack events are present in both EVM and TRON chains. Please double check and copy the correct transfer address to avoid asset loss.
Meanwhile OneKey is working on some anti-fraud designs to avoid harmful spam and protect you from fraud.