Document full identifiers policy in README
All checks were successful
check / check (push) Successful in 13s
All checks were successful
check / check (push) Successful in 13s
Addresses, tx hashes, and contract addresses must always be shown in full to prevent address poisoning attacks. Truncation only acceptable when full identifier is one tap away.
This commit is contained in:
parent
d384d41c82
commit
147ffbeb92
12
README.md
12
README.md
@ -113,6 +113,18 @@ All user-facing text avoids crypto jargon wherever possible:
|
||||
- Error messages are full sentences ("Please enter your password." not "password
|
||||
required")
|
||||
|
||||
#### Full Identifiers Policy
|
||||
|
||||
Addresses, transaction hashes, contract addresses, and all other cryptographic
|
||||
identifiers are displayed in full whenever possible — never truncated. Address
|
||||
poisoning attacks exploit truncated displays by generating fraud addresses that
|
||||
share the same prefix and suffix as a legitimate address. If a user only sees
|
||||
`0xAbCd...1234`, an attacker can create an address with the same visible
|
||||
characters and trick the user into sending funds to it. Showing the complete
|
||||
identifier defeats this class of attack. Truncation is only acceptable in
|
||||
space-constrained contexts where the full identifier is accessible one tap away
|
||||
(e.g. a tooltip or copy action).
|
||||
|
||||
#### Data Model
|
||||
|
||||
The core hierarchy is **Wallets → Addresses**:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user