The past few months of 2024 looked like the calm before the storm, with much fewer rug pulls, scams and bridge exploits compared to previous periods. A new way to divert funds is making the rounds and is affecting bigger wallets.
The exploit became known as address poisoning. It involves sending funds to malicious wallets instead of the targeted destination. The attack affects DeFi users and decentralized traders.
Biggest Heist Affects Wrapped BTC on the Ethereum Blockchain
The most recent heist affected a sum estimated between $68M and $71M due to fluctuating market prices.
The most serious danger of address poisoning is that all involved addresses are entirely valid and usable. Most likely, an attacker injects the exploit address into a user’s history using microtransactions.
Then, the user may copy-paste the Ethereum address without checking, thinking it is the address of an exchange or another wallet. Ultimately, the exploit relies on human error and failure to check a few sub-strings of the address.
Supporters of human-readable identities also noted that ENS names could save the hassle of comparing address strings. But even comparing the first and last four address letters is sometimes not enough against sending funds to the wrong destination.
The current exploit did not even include attacks against the copy-paste function but relied on overlooking the address injected into the wallet’s history. Another form of poisoned address attack is more advanced and involves a compromised wallet that generates private keys already known to the creator.
Impersonators Run with the Latest Big Scam
The latest large-scale attack has been used by multiple social media personas, who seem to impersonate the real victim. The wallet’s owner has not come forward in a reliable way, and many claim to be the actual owner, as a way to shill their tokens or NFT.
Researcher @Zachxbt remains skeptical, while watching out for new scammers:
The high-profile exploit has been used once again for fake giveaways, NFT airdrops or simply to gain exposure for a donation address.
Can Funds be Saved from Tainted Addresses?
Not all blockchain transactions are irreversible. Currently, the wallet owner has reached out to the hackers, offering a 10% commission if they return the funds. Depending on the protocol, wrapped BTC may also be eligible for a return on the side of block validators.
At present, there is no evidence of fund relocation.
Is the Address Poisoning Hack a Serial Offense?
Some skeptics see the recent heist as a tool for engagement farming or social media clout. There is still not enough evidence to trace the wallet to its owner, though some claim to be the affected account.
What is more curious, the funds from the exploit ended up in a wallet cluster that is tied to previous token thefts.
Tokens and assets on the Ethereum blockchain remain highly transparent, so this wallet cluster has been singled out for “fake phishing”. The funds have not been sent to a mixer or a decentralized protocol, or laundered though NFT.
Is Dust Phishing Scam Revived?
The current exploit also looks like a revival of the “dust phishing” scam, which has been around for more than a year. The approach of this attack is the same – the attackers send small transactions to rich wallets, making them believe the sums are coming from other legitimate addresses.
Sometimes, the attacker is allowed to generate an address where even the first and last four digits are similar. The best way to avoid problems is to never copy and paste addresses from the transaction history. Instead, get the address from a reliable source each time.
The Ethereum network and its token standard cannot prevent dust transactions, and not all malicious addresses can be flagged.
Developers are offering a workaround using wallets that can compare random parts of the address’s digits and letters. This will prevent the problem of only verifying characters at the beginning and the end of an address.
Other solutions include a visual representation of the address to avoid having to compare the long, unreadable strings.
From Zero to Web3 Pro: Your 90-Day Career Launch Plan