Address Poisoning Scam: What You Need to Know and How to Protect Yourself

Debbie Chia
avatar-ani
Samuel Akpan

Samuel Akpan, Anirudh Chohan & Debbie Chia

InsightsDec 20, 20236 min read
Security
cover-address-poisoning-scam
What is address poisioning scam and find out how Safe{Wallet} keeps you Safe.

This scam is not specific to Safe or Safe{Wallet} but is generally possible in all types of wallets. Also, there is no need to be worried about assets at risk in this type of situation as long as no other transaction is initiated to the fraudulent address.

At Safe, we work continuously to keep abreast of the latest security issues our users face and release features and resources to help users out whenever possible. Today we will be tackling address poisoning and what users can do to keep Safe!

Imagine walking down a familiar street and spotting your friend waving from afar. You stride towards them, only to realize it’s a stranger wearing similar clothes. This moment of mistaken identity is akin to address poisoning in the crypto world. Scammers craft wallet addresses that mirror legitimate ones, much like a doppelgänger in a crowd. Just as you might inadvertently approach the wrong person, users unknowingly send assets to these deceptive addresses, falling prey to a sophisticated digital masquerade. This is the address poisoning scam, a subtle yet devastating form of fraud. This post aims to dissect the anatomy of these scams, illustrating how they manifest and offering strategies to fortify against them.

What is Address Poisoning?

Address poisoning is a type of scam trying to trick users into sending assets to a fraudulent address. The attacker specifically designs the fraudulent address to look very similar to the correct one. This is done by generating a “vanity address” with a number of characters matching. In case victims carelessly copy the address without further verification, they may accidentally send their assets to the fraudulent address instead.

How could such fraudulent addresses even show up inside wallet interfaces in the first place?

In order to display a full transaction history such as token transfers into and outside an account, wallets typically rely on backend services. These services listen to ERC20 events emitted on chain in order to learn about these transfers. Any contract can trigger these events with any content, no matter if legit or fraudulent. Besides, wallets typically display only the first and last four characters of an address on the transaction history, thereby increasing chances of an attacker since they would have to only create a “vanity address” which shares common first and last 4 characters with the legit address.

In the above screenshot, only the lower transaction has been done with a legitimate token and authorised by the owner of the Safe. The upper one is a fake transfer as part of the scam attempt.

What should users do to protect themselves?

There are a number of preventative actions users should take whenever transferring assets and generally executing transactions.

Verify, Verify, Verify

Any address should always be thoroughly checked in its entire length. Never copy addresses blindly from transaction history in order to transfer assets but rather from a trusted source. Safe{Wallet} displays checksummed addresses throughout the application. Always double check the correct use of uppercase and lowercase letters as well.

Use human-readable labels wherever possible

Account addresses are cryptic. It is hard and time consuming for a human to reliably verify all characters of an address. Besides the checksums mentioned above, users should use human readable ENS names as well as the Safe{Wallet} address book feature as much as possible.

Small tests save big losses

Before transferring high value assets, always do a test transfer with a small amount. Once the recipient confirms the successful transfer, authorise the transactions transferring the full amount.

Take security warnings seriously

Safe{Wallet} partnered with Redefine to scan each transaction for potential risks before execution. All affected Safes have received a risk warning of category “medium” before execution, referring to suspicious recipient addresses as the cause. Yet users still decided to proceed. The DeFirewall feature enhances transaction security by scanning every onchain transaction prior to signing. Its automated engine identifies risks associated with the transaction and provides a risk profile for each identified issue, clearly showing if a transaction would likely result in the user losing funds.

How is Safe{Wallet} improving security?

Ultimately, it is the user’s responsibility to carefully examine each transaction before execution. For enhanced security, Safe has also implemented the following several measures.

Labeling of Risky Addresses and Tokens

We have systematically marked addresses and tokens involved in the recent scams. This ongoing process is a part of our commitment to actively identify and label potential threats. While we strive for comprehensiveness, there may be instances of delay in identifying and labeling new threats. Users should be aware that not all potential risks may be immediately flagged and continue to exercise caution

Modifying Transaction Visibility

To help mitigate risks we released a hotfix hiding suspicious token transfers completely. As a proper fix, outgoing transfers unrelated to a direct transaction involving an unknown token will be marked better in the user interface. This measure is designed to help prevent scams while ensuring that genuine transactions, like those involving decentralized exchanges remain operational, albeit less visible in the transaction history. While we strive for comprehensiveness, there may be instances of delay in identifying and labeling new threats. Users should be aware that not all potential risks may be immediately flagged and continue to exercise caution.

The scam transfer is marked as such in the transaction history.The scam transfer is marked as such in the transaction history.

The Safe{Wallet} asset overview already leverages Safe’s default tokenlist. The transaction history now implements the same approach.

On assets overview, users can choose between seeing only default/trusted tokens or all tokens. The latter would contain any spam and scam token.On assets overview, users can choose between seeing only default/trusted tokens or all tokens. The latter would contain any spam and scam token.

Enhanced Detection by Redefine

Redefine has upgraded its detection algorithms, significantly enhancing the accuracy in pinpointing address poisoning attacks targeting Safe users. Users will now receive 'High' severity alerts, accompanied by detailed insights and explanations, explicitly mentioning 'address poisoning' to ensure clarity and immediate awareness of the specific risk involved.

Conclusion

Crypto, just like in everyday life, is filled with both familiar and deceptive faces. By understanding the mechanics of address poisoning scams and adopting proactive measures, users everywhere can better navigate this landscape, ensuring a safer transaction environment for all.

Finally, knowledge is your best defense. For a deep dive into security best practices on avoiding address poisoning scams, check out our comprehensive guide.

Stay alert, stay safe.

Disclaimer:

Please note that the measures and implementations described in this article are provided for informational purposes only and do not imply any changes to the license terms and/or any applicable terms of use of Safe Wallet. Users should always refer to the official terms of service for the most accurate and up-to-date information regarding the use of our services.

Token lists are compiled using data from external third-party sources. We do not vouch for the accuracy of this data, and do not make any claims regarding its relevance or timeliness. Often, data may not be available for certain tokens, especially those that are new or less known.

The token lists are not to be taken as investment advice. They are not exhaustive in highlighting all possible risks. We advise conducting your own research on tokens before engaging in any buying or selling activities. The information provided is solely for informational purposes.


Read more

cover-a-call-to-build-smarter-self-custody
InsightsNov 14, 20228 min read
A call to Build Smarter Self-Custody
cover-redefine-security-with-new-safewallet-transaction-risk-scanner
AnnouncementsJun 25, 20234 min read
Redefine security with new Safe{Wallet} transaction risk scanner
Cover image - Social Login
EcosystemFeb 5, 20246 min read
Fileverse - Non-Custodial Gsuite Competitor, Powered by Safe

Get the Alpha

Sign up to hear the latest from Safe in your inbox