Security is a top priority in the fast-paced world of crypto and Web3
Recently, a dangerous trend has emerged:Â Address Poisoning Attacks.
Not a new attack technique (relatively), this attack vector has led to large financial losses, including one case where an individual lost $68 million by copying and sending funds to a fraudulent address, $59,889 lost in a similar incident, and $4.4 million lost by another victim.Â
This attack is equivalent to the phishing and social engineering attacks we know so well from Web 2.0, with email and fake banking websites.
Let's explore what address poisoning is, how it happens, and how to protect yourself.
What is Address Poisoning?
Address poisoning is an attack where hackers/scammers generate addresses similar to legitimate ones - the addresses of their targets. They then send dust transactions (which can be small, but also more substantial if it’s a very targeted attack) to contaminate the victim's wallet’s transaction history. These small transactions make the poisoned addresses appear frequently in the user's transaction history, increasing the chance of being copied and interacted with, meaning funds are sent to the wrong address.
The bottom line is that users who copy addresses from their transaction history might unknowingly copy these poisoned addresses, resulting in lost funds.
The Problem with Non-Human Readable Addresses
Cryptocurrency addresses are often long, complex strings of characters, prone to errors and confusion. This contrasts sharply with the human-readable identifiers in traditional Web 2.0 domains, systems, and UI/UX. For crypto and Web3, solutions like Ethereum Name Service (ENS) offer human-readable names to make transactions safer and more user-friendly (among other up-and-coming solutions).
Protecting Yourself
Here are some effective strategies to protect against address poisoning:
Do not copy addresses blindly from your transaction history, as they might be contaminated.
Always triple-check the full address before making a transaction. Confirm the entire address, not just selected characters.
Instead of copying addresses, use an address book feature in wallets like MetaMask (Settings > Contacts). This prevents copying contaminated addresses and ensures the addresses are verified before use.
Sending a small test amount first to confirm the recipient's address can prevent large losses (at times, it’s worth the transaction fees).
Organizations, teams, and even individuals, etc., employ multi-sig and MPC (multiparty computation) processes that involve a whitelisting/allowlist review and approval processes, thus reducing errors.
Conclusion
Address poisoning is a trending threat in the crypto world, capable of causing significant financial losses. To protect yourself, use reputable wallets, triple-check all addresses, and review all transaction payloads - as errors and malicious actions can also be hidden there - expanding the attack surface.
More about deep risk assessment and inspection of transaction payloads in our next articles.
Comments