In Brief
- MetaMask has warned its users against falling prey to ‘address poisoning,’ a crypto scam growing in popularity.
- After monitoring a transaction, scammers create an address mimicking the receiving user’s, using the same first and last four digits.
- By sending a $0 transaction from the faux address to the original sender’s, the scammer hopes their cached address will replace the original receivers.
MetaMask is warning its users against a growing new crypto scam called “address poisoning,” however the news has come bit late for some.
Cryptocurrency wallets can include one or more accounts, each with its own cryptographically-generated address, MetaMask explains in a release. However, these long hexadecimal numbers are intentionally difficult to remember, requiring the frequent use of copy and paste. This is precisely what address poisoning attempts to take advantage of.
How Addresses Become “Poisoned”
Instead of a sophisticated hack that compromises a protocol’s infrastructure, address poisoning rather relies on human psychology and the mechanics of crypto transactions. The following scenario is a case in point.
In this case, User A makes regular transactions to User B, which Attacker C becomes aware of utilizing software that monitors transfers of certain tokens, typically stablecoins. The attacker will then use a “vanity” address generator to create a hacker address C that closely matches user address B.
Attacker C will then perform a transaction of $0 between user address A and hacker address C. This results in the ‘poisoning’ of the address, as hacker address C becomes cached over user address B for user address A. Since hacker address C shares the same first and last 4 digits as user address B, Attacker C hopes that User A inadvertently uses their address when trying to transact with User B.
The scam can easily be avoided by thoroughly checking addresses before committing to transactions, however tedious.
MetaMask Mistakes
Some users are disappointed by the delay in announcing the news. “MetaMask finally documents the address poisoning attack after 2+ months,” tweeted Han Tuzun. His post provided a link to an article explaining the scam with thorough detail dated from the beginning of December.
Tuzun further warned users about vanity address generators that could generate near identical addresses in seconds. The Twitter user also tasked infrastructure builders with sufficiently warning users in UI against such attacks.
This latest setback for MetaMask comes after it faced strong public backlash following an update on its data retention policies. The firm updated its privacy policy late last year, leading to reports that it would result in the collection of users’ wallets and IP addresses.
This quickly led to a heated response from the crypto community, which prompted a post from developer ConsenSys on Dec. 6, to try and reassure its users.
Disclaimer
BeInCrypto has reached out to company or individual involved in the story to get an official statement about the recent developments, but it has yet to hear back.