MetaMask has reported an increase in address poisoning attacks. Let’s take a look at this fraud that relies on inattention, as well as ways to protect yourself from it
What is address poisoning?
The MetaMask wallet support has alerted the community to the growing phenomenon of “address poisoning”. The concept is simple: to take advantage of an investor’s inattention in order to steal their cryptocurrencies.
A new scam called ‘Address Poisoning’ is on the rise. Here’s how it works: after you send a normal transaction, the scammer sends a $0 token txn, ‘poisoning’ the txn history. (1/3)
– MetaMask Support (@MetaMaskSupport) January 11, 2023
To carry out their attack, a malicious person will seek out addresses that often exchange funds. This may be a sign that a single person owns both the A and B addresses, and regularly migrates cryptocurrencies between the two.
The attacker then creates an address similar to the A or B address using a vanity address generator. This type of software generates a private key, for a public address containing certain specific characters.
For example, let’s choose an address in a perfectly arbitrary way on Etherscan: 0x8e7Ec153f5362f71083eF0Fd5784dc082c07404D. Let’s imagine that a hacker wants to target this address, which we’ll call “the A-address”, he could then try to create an address containing the same last four characters, on a service like “Vanity-ETH”. Indeed, it is generally easier to remember the end or the beginning of an address rather than its full alphanumeric sequence:
Private key generated with a custom address using Vanity-ETH
With this new address, the hacker will then send a small amount of cryptocurrencies to the targeted address, namely “address B”, so that the fraudulent address will appear in the history of his future victim, reminding him of address A.
The next time the target trades from the B address, they will simply copy the fraudulent address into their transaction history, thinking they have copied the A address, and they will then send their funds to the attacker on their own.
How to protect yourself from such attacks
To date, it is not, a priori, possible to block incoming transactions on a public blockchain such as Ethereum (ETH). This means that anyone can have their addresses polluted by address poisoning. Faced with this situation, the best response is to be vigilant.
Most wallets, such as Frame or MetaMask, or Keplr to take an example with the Cosmos ecosystem (ATOM), allow you to copy an address directly from the application. This facility avoids the need to search for an address in one’s transaction history and the risk of being tricked.
If it is necessary to search through the transaction history to find an address, it will be necessary to be 100% sure that it is the right one.
The use of personalised addresses was also used in the Convex (CVX) DNS attack in June 2022, where the smart contracts were replaced on the website by the hacker in favour of his own vanity addresses.
An attempt at fraud, seemingly as simple as address poisoning, reminds us that very often, the main flaw in a system remains the human factor.
