Web3 security blog

Address Poisoning

Address Poisoning: The Growing Threat in the Web3 Ecosystem and Steps to Mitigate the Risk


Address poisoning has emerged as a significant threat to users in the Web3 and specifically, decentralized finance (DeFi) ecosystem. As Web3 technologies keep transforming the decentralized application (dApp) and finance domains, users encounter fresh challenges and susceptibilities. One such challenge is address poisoning, a type of phishing attack that has already resulted in substantial financial losses for unsuspecting users. In this article, we will explore the intricacies of address poisoning, the impact it has had on DeFi, and some measures being taken to protect users from this growing threat.

Understanding Address Poisoning

Address poisoning is a phishing attack that exploits an idiosyncrasy in the implementation of the ERC-20 token standard. In this attack, the perpetrator sends virtually valueless tokens to a user's wallet address, tricking them into sending tokens to a scam address that looks very similar to an address the victim often interacts with. The attacker takes advantage of the user’s reliance on transaction history and the habit of quickly validating wallet addresses by comparing the first and last few characters. By polluting the transaction history, the attacker can therefore deceive users who frequently copy/paste addresses when conducting transactions.

The Impact of Address Poisoning

Between late November 2022 and February 13, 2023, zero-value token transfers caused a loss of $19 million from victim wallets, according to Coinbase. This staggering figure underlines the growing risk of address poisoning in the Web3 ecosystem. As Web3 technologies continue to expand and gain mainstream adoption, the number of users susceptible to such attacks is expected to increase, making it crucial for the industry to develop and implement protection technologies which address this issue.

The Vulnerability and its Exploit

Address poisoning exploits the ERC-20 token standard's transferFrom function. This function allows third parties to transfer tokens between addresses on behalf of the token owner and serves as the backbone of the ERC-20 protocol. The implementation allows for zero-value transfers between any addresses, which makes it simpler for attackers to carry out address poisoning attacks.

The Attack Process

A successful address poisoning attack normally proceeds according to the following three steps:
  1. Execute a zero-value transaction that injects the attacker's wallet address into the victim's transaction history. The attacker's address should be very similar to one that the victim regularly interacts with.
  2. The user haphazardly copy/pastes the injected address from their transaction history into their wallet’s send field. Or, in certain cases, the user’s wallet may automatically suggest the attacker's wallet, as it was the last one they interacted with on-chain.
  3. A transaction is made in which funds are irreversibly sent to the attacker's wallet.

Mitigating the Risk: Etherscan's Response

In response to the growing threat of address poisoning, Etherscan, a leading blockchain explorer, has reconfigured its default blockchain viewing settings. The platform now hides zero-value token transfer displays on its website by default, in effort to protect users from falling victim to this scams. Users who want to view zero-value token transfers can disable this feature in Etherscan's settings page.

Potential Solutions

  1. On-Chain Solution: One proposed solution involves modifying the _spendAllowance function to require an approval for zero-value transfers on-chain. However, this change deviates from the ERC-20 standard, which treats zero-value transfers as normal, and it risks breaking existing use cases.
  2. Off-Chain Solution: An alternative approach is to make changes to off-chain tools, such as block explorers, wallets, and exchanges. By not displaying or interacting with zero-value transfers by default, users can be better protected. Continuous education and secure UX patterns are also crucial for staying ahead of malicious actors.
  3. Blockchain Address Books: Implementing blockchain address books, which uniquely and distinctively identify each account, can help prevent accidental transfers to undesirable addresses. These address books would serve as an additional layer of security and will display a more easily recognizable identifier, rather than a lengthy address number, making it harder for attackers to deceive users into sending funds to malicious addresses.
  4. Monitoring and Notification Systems: Clients can monitor for zero-value transfer events and treat these events differently off-chain. To safeguard against address poisoning attacks, users can be better informed and protected by receiving notifications from bots or other automated sources.
  5. Collaboration and Best Practices: Collaboration between various stakeholders in the DeFi ecosystem, including developers, wallet providers, and end-users is essential for developing and implementing best practices to protect against address poisoning. Sharing knowledge and experiences can lead to innovative solutions and improvements in security standards.
  6. Machine Learning for Cybersecurity Protection: The integration of machine learning (ML) in cybersecurity protection within the blockchain ecosystem offers immense potential for identifying vulnerabilities and mitigating threats, including address poisoning and other phishing attacks. By utilizing ML algorithms, continuous monitoring systems can automatically detect suspicious patterns and anomalies in the blockchain data, allowing for swift response to malicious activities. In addition to detecting threats, ML can be employed to enhance user experience by creating personalized, secure user interfaces and address book management systems. At Polyzoa, we are actively leveraging ML-based cybersecurity solutions to protect users against address poisoning and other phishing attacks, showcasing the powerful role machine learning can play in bolstering the security and resilience of the DeFi ecosystem.
These strategies emphasize the importance of continuous education, secure UX patterns, collaboration among stakeholders, and innovative technological solutions such as machine learning to ensure the safety and success of users within the rapidly evolving world of Web3 and DeFi.

Future of Scam Protection

Address poisoning is a significant threat to DeFi users, but the integration of machine learning (ML) in cybersecurity protection offers a promising solution. ML algorithms can detect suspicious patterns and anomalies in transaction data, ensuring swift responses to malicious activities like address poisoning. As the DeFi ecosystem grows, ML-based solutions are critical for bolstering security and resilience. By adopting best practices and leveraging innovative technologies like ML, we can safeguard users and the ecosystem from phishing attacks and ensure the success of the DeFi space.
Scam Types