MetaMask notified the crypto community of a new type of scam called “address poisoning” in a recent post.
The scam was rated as “rather innocuous compared to other scam types.” However, the company warned that address poisoning still has the potential to dupe unsuspecting users into losing funds.
“Address poisoning is an attack vector that, in contrast to other scams — which often use methods that have served many scammers so well, such as unlimited token approvals, phishing for your Secret Recovery Phrase, etc. — relies on user carelessness and haste above all else.”
How “address poisoning” works
Address poisoning centers on wallet addresses being long hexadecimal numbers that are difficult to remember and easy to mistake for other, similar addresses.
Crypto addresses are often shortened to show the first few characters, a blank, and then the last few. Scammers exploit the tendency to trust the familiarity of the first and last few characters.
When transacting, the usual routine consists of copying and pasting an address. Many wallet providers, including MetaMask, feature a one-click function to copy an address.
Address poisoning exploits users’ inattention at this point in the transaction process. Specifically, scammers observe and track transactions of particular tokens, with stablecoins commonly targeted. Then, using a “vanity” address generator, the scammer will create an address that closely matches the target address, especially the first and last few characters.
The scammer sends a transaction of nominal value from the newly generated address to the target address; at this point, the latter becomes poisoned.
In the future, when wishing to send a transaction, the user may mistakenly copy the wrong address based on the familiarity of the first and last few characters. Once executed, the funds end up with the scammer.
“And since on-chain transactions like this are immutable (cannot be altered once confirmed), the lost funds will be irretrievable.”
MetaMask explains how to stay safe
Unfortunately, the nature of public blockchains means anyone, including scammers, can send transactions to any address if they choose.
MetaMask reiterated the importance of checking every address character when sending funds, not just the first and last few.
“Develop a habit of thoroughly checking every single character of an address before you send a transaction. This is the only way to be completely sure you’re sending to the right place.”
Other strategies to avoid falling victim to address poisoning include not using transaction history to copy addresses, whitelisting frequently used addresses to avoid copying and pasting altogether, and using test transactions, especially when transferring large sums.