EN 
VI MetaMask warning about a new type of fraud, hitting the subjectivity of users through the simple operation of copying the wallet address.
On January 12, MetaMask issued a warning about a new form of asset theft called "address poisoning", which describes how scammers have taken advantage of the haste and carelessness of users. when transferring money but copying the wrong wallet address.
A new scam called 'Address Poisoning' is on the rise. Here's how it works: after you send a normal transaction, the scammer sends a $0 token txn, 'poisoning' the txn history. (1/3)
January 11, 2023
Wallet addresses are long hexadecimal numbers and are difficult to remember. It is usually shortened and shows only the first and last few characters. Today's wallet providers, including MetaMask, have a "copy address" feature via a double click. And this is also the "critical weakness" targeted by the attacker.
An asset theft by "address poisoning" would go like this:
- User A performs normal transactions for User B, which is known to attacker C through on-chain transaction data.
- Attacker C then uses an address generator to generate an address that closely matches (matches the first and last characters) to user B's address.
- Next, attacker C will perform a $0 transaction between user A's address and his own. This leads to the name of the incident "address poisoning", because address C will now be cached by user A, creating the belief that it is address B because the terminal characters are similar.
- User A unconsciously, unnoticed can copy the wrong address and lead to the transfer of funds to attacker C.
This form of fraud is considered "quite harmless" compared to other traditional scams, when hackers try to attack a secure system, or cheat to get a user's private key.
MetaMask, the wallet platform that has reported address poisoning incidents, has issued a warning after more than two months a Twitter user started providing information about this new type of scam. Therefore, many people criticized MetaMask for being too late in announcing the incident.
MetaMask finally documents the address poisoning attack after 2+ months.
January 12, 2023
Also read https://t.co/l24rQKy9OL
To users: An address that looks like yours could be generated in a second.
To infrastructure builders: It's your responsibility to warn users in UI against this attack. https://t.co/lz3bXmjnDI
In the warning, MetaMask prompts the user:
“Develop the habit of thoroughly checking every character of the address before you confirm a transaction. This is the only way to be absolutely certain that you are sending to the correct address.”
In addition, some other defense methods such as not using transaction history to copy addresses, whitelisting frequently traded addresses, and using experimental transactions, especially when transferring large amount.
Wallet app MetaMask faced backlash from the community after updating its data retention policy late last year. Accordingly, ConsenSys, the unit behind MetaMask, will collect IP data and MetaMask wallet addresses of users. However, the company quickly adjusted and said it would only save the data for 7 days.
