Staying Alert On Address Poisoning Attacks

Beware to be taken off guard with severe poisoning attacks as you transfer tokens. Right on the spot, let’s deconstruct the threat and learn to detect it early on.

So, what’s keeping the Web3 Antivirus team awake at night lately? Mostly, it is the intensified address poisoning threats that lately take new forms while stealing millions in USD. Cutting the scheme short, it’s aimed at tricking users into unintentionally copying the address modified by the hacker and further pasting it as they handle transfers.

Up to the end of 2022, over 340K addresses have been attacked across the ETH chain, totaling more than $1.64M USD snatched. Right now as we dwell on the topic and in the days coming, fraudsters deploy new variations of malicious contracts.

The moment such contracts come into play, some have the potential to trigger thousands of intercepted or poisoned transactions, with each being able to attack up to hundreds of users. So what is it that gets crypto users trapped for no apparent reason?

What’s the trick behind poisoning attacks?

In a nutshell, hackers’ endgame is to take users off guard as they check their transfer addresses. Meaning, each one who’s about to send their tokens is a potential target.

No wonder so many crypto users are falling prey to the trick. Let’s face it: next to no one is patient enough to examine the entire line. Most are likely to just double-check up to 7 initial and last symbols, especially when it comes to copied addresses. And that’s exactly what hackers expect.

Nearly in real-time, they capture transfer data and forge the potential victim’s target address. And just like that, the user has all the chances to carelessly copy the false row from the historical data and send their assets to the scammer’s account.

How do poisoning attacks happen?

The flow depends on what kind of token underlies your deal, ETH or ERC20.

Say, User A sends USDC tokens equalling $1.600 to User B. The transaction result will be logged either into the history of user A’s crypto wallet or into the block explorers like EtherScan.

To user A, everything may look just ok. Yet, the fact that the hacker has managed to track the transaction while generating a similar one gets unnoticed. Specifically, the forged transaction will imitate the original one, making user A transfer $0 USDC to hacker’s account C, instead of sending $1.600 in USDC tokens to User B.

Thus, the trick goes off without a hitch because the victim only examines up to 4 first and last symbols and thinks the address is safely verified.

Take a closer look at the underlined addresses. In a haste, one can’t tell them apart.

Meaning, in case user A wants to transfer USDC to user B again, chances are that they copy the target address from the history of transactions, thus risking to mistake the one forged by hacker C for the original, as the timestamps will be the same. So, nice and easy, the scammer celebrates the win, taking all the transferred funds to themselves.

Note. Though in fact, it wasn’t user A who initiated the malicious $0 USDC transaction, the history will attest quite the opposite. The trouble spot lies in the ERC20’s vulnerability, as the standard methods aren’t supposed to check $0 USD transfers.

How to avoid poisoning attacks

Basically, there are two major precautions to follow:

1. Make it a rule to double-check transfer addresses, especially historical transaction ones. Better keep a dedicated address book.
2. In case you’ve noticed a $0 USD transfer among your historical transactions, there’s still no reason for panic. Many crypto users are unfamiliar with poisoning address schemes. As they see $0 USD transfers, they fear that their private keys have been leaked and assets compromised, so someone’s stealing their funds right now. Actually, the $0 USD transactions are more of an alert sign. Nothing’s happened yet, both the key and the assets are safe, it’s just that you are to pay extra attention while confirming addresses as you copy them from the history.

Stay protected on web3!