Address poisoning is a crypto fraud that MetaMask is alerting its users against, but the information may have arrived too late for some customers.
Cryptocurrency wallets can have multiple accounts with unique addresses. These addresses are long and difficult to remember, making copy-paste vulnerable to address poisoning attacks. MetaMask highlights this in their release.
Address Poisoning Explained
Address poisoning relies on human psychology and crypto transaction mechanics, not protocol infrastructure hacks.
In this instance, User A often transacts with User B, which Attacker C learns about by using software that keeps track of transfers of specific tokens, typically stablecoins. The hacker will next utilize a vanity address tool to generate hacker address C, which closely resembles user address B.
Then, attacker C will carry out a $0 transaction between hacker address C and user address A. As a result, the address gets poisoned since hacker address C starts predominating over user address B for user address A. Since the user address is B and the hacker address, C has identical first and last four digits. Attacker C hopes that User A will mistakenly use their address when attempting to interact with User B.
The scam can be readily prevented by meticulously examining addresses and committing to payments, however time-consuming they may be.
Errors In MetaMask
MetaMask delayed announcing the address poisoning attack, which disappointed users as Han Tuzun reported it 2+ months ago.
MetaMask finally documents the address poisoning attack after 2+ months. Also read https://mirror.xyz/x-explore.eth/cL3d_CyNujXq8XY7ueP4omNXx_IY1EG5Dz0FD0vJ90M… To users: An address that looks like yours could be generated in a second. To infrastructure builders: It’s your responsibility to warn users in UI against this attack.
Tuzun additionally forewarned users against vanity address generators that may produce nearly similar addresses in a matter of seconds. The Twitter user encouraged infrastructure developers to warn users of such attacks through user interfaces adequately.
Following an upgrade to its data retention practices, MetaMask experienced significant public backlash, which led to this most recent setback. Late last year, the company changed its privacy statement, sparking rumors that it would lead to the acquisition of customers’ IP addresses and wallet information.
Related Reading | BlockFi To Release Financial Data On Wednesday, Amid Bankruptcy
A heated response from the crypto community prompted Dec. 6 post by developer ConsenSys, to reassure users.