An individual unfortunately fell victim to address poisoning, losing over $68 million in WBTC in the process. How did it happen?
$68 million in WBTC lost for a bad transaction
An individual unfortunately fell victim to address poisoning, which led him to lose more than $68 million in the form of WBTC, a token backed by the Bitcoin price in ERC-20 form.
Cyvers Alerts first reported the news, indicating that someone had lost 1,155 WBTC in a single transaction.
ALERTAre we mistaken, or has someone truly lost $68M worth of $WBTC? Our system has detected another address falling victim to address poisoning, losing 1155 $WBTC
Victim: https://t.co/5NKlOFnepJ
Address poisoner: https://t.co/R6fF0QipBH
Poison transaction:… pic.twitter.com/UpG34ZcZvY
– Cyvers Alerts (@CyversAlerts) May 3, 2024
Particularly targeting well-stocked cryptocurrency wallets, address poisoning involves sending small amounts of any token to the address you wish to trap. The subtlety lies in the fact that the address sending the funds has the same characters at its beginning and end as an address used by the future victim, in the hope that the latter will send funds to the wrong destination by digging into its history.
Indeed, on most wallets, only the first and last characters of addresses are generally displayed, for ergonomic reasons. So, by checking only the latter, an error can quickly occur, and that’s exactly what happened to the person we’re talking about today.
As you can see below, the beginnings and ends of addresses are exactly the same. However, after the first 6 characters, the address becomes different. But this is only visible on browsers, as portfolios can only display a certain number of characters.
So, thinking he was sending his 68 million dollars worth of WBTC to the usual address (the last in the list below), the victim transferred it to the false address. This address has since been identified as a phishing address by the Etherscan explorer
To create fake addresses like this one, malicious individuals resort to so-called “vanity addresses”. Instead of creating an address randomly (as is the case when creating a MetaMask wallet, for example), certain algorithms manage to create addresses with certain specific characters, but this is costly in terms of resources.
Today, some wallets such as Rabby Wallet warn users when they are about to send funds to an address with which they have never interacted before, helping to mitigate this kind of risk.