Mainstream cryptocurrency and NFT custodial wallets, Metamask has issued a warning to the public alerting them of a newly perpetrated scam called ‘Address Poisoning.’
The Twitter thread tweeted by Metamask revealed that this scam occurs after users conduct a normal transaction and the scammer goes ahead to send a $0 token txn, ‘poisoning’ the txn history.
What is address poisoning in detail?
Address poisoning is a type of scam targeted at crypto users where the scammer will first “poison” the user’s account by sending them a very small (sometimes near-zero) amount of crypto in a bid to alter their wallet’s copy and paste mechanism. The main purpose of this scam is to make users copy a wrong wallet that had been manipulated into their transaction history and send money to the copied wallet which is for the scammer.
It is a scam that leverages the carelessness and hastiness of users. The inability of users to give their transaction a second check before authorizing it.
This scam technique can be said to be relatively harmless in comparison to other scams that make use of different devious techniques such as unlimited token approvals, phishing for users’ Secret Recovery Phrase, etc
However, address poisoning can easily result in the loss of funds.
How does it work?
Crypto wallets consist of one or more accounts, with each of the accounts having its cryptographically-generated address attached to them. These cryptographically-generated addresses are long hexadecimal numbers which makes them unintelligible to those outside the blockchain space.
These hexadecimal numbers can be very difficult to memorize and remember. This is why most users have resorted to copying and pasting the cryptocurrency address which is way easier than memorizing them and typing them out. This copying and pasting method has proved to be time-conserving and has minimized the possible chances of making mistakes.
However, this copy-and-paste option is what has been leveraged by these scammers to defraud unsuspecting victims.
- These scammers use software to keep track of transfers of specific tokens (usually stablecoins). To generate an address that closely resembles the users’ addresses or the wallet the user intends to send to, they use a “vanity” address generator.
- These fraudsters then carry out a small-value transaction from another account to the fake account they made, which closely resembles the users’. These are often transfers of 0 tokens. They have contaminated users’ wallets in this way.
- Since the phony address created by these scammers resembles the original wallet address, likely, users will unintentionally copy the scammers’ address from their transaction history and paste it somewhere else the next time the user needs to copy their wallet address. And as expected by these scammers, once the user accidentally pastes the scammers’ address, the sent funds will go to them rather than to the user’s intended account. Additionally, the lost money will be unrecoverable because on-chain transactions like these are immutable (they cannot be changed once verified).
What makes users fall for this scam is the fact that they might be in haste while carrying out this transaction which might make them not vet the transaction details before approving it.
How to guard against Address poisoning
There’s no method for users to prevent anybody, even scammers, from sending transactions to their address because we connect with public blockchains where anyone, anywhere, is free to do what they like.
Metamask however recommends some measures users should take so as not to fall for these tricks. These are:
- The usage of hardware wallets is advised. Hardware wallets typically prevent users from completing a transaction unless they have checked and verified the address they are sending to. This promotes thorough and appropriate inspection.
- Users should update their address book with commonly used addresses. They may find this function in MetaMask’s Settings > Contacts. Once an address has been kept there, they may be sure it is the correct one and won’t need to rely on copying and pasting every time they need it.
- The use of test transactions is advised for users. For large transactions, this is strongly advised. To verify an address is legitimate before moving through with a larger transaction, this entails sending a small sum of money to the address. The gas may not be desirable as gas fees must be paid for two transactions. But when you consider the amount of money at stake, the risk is worthwhile.
- Users should double-check addresses and make sure the information imputed for transactions is accurate.
- Users should refrain from copying addresses from their transaction history and, if they must, double-check them.
What do you think about this article? Share your comments below.
Read also;
How to make money with NFTs in 2023
Differences between BUSD & USDC