From d05de16e9c3aa47268c5931eed865b154c1e57ad Mon Sep 17 00:00:00 2001 From: sneak Date: Thu, 26 Feb 2026 13:57:24 +0700 Subject: [PATCH] Document address poisoning attack and AutistMask defenses in README Detail the specific attack observed against our test address: a fake ERC-20 contract emitting spoofed Transfer events to plant a look-alike scam address in transaction history. Document all planned defenses: known token symbol verification, low-holder filtering, fraud contract blocklist, send-side filtering, and the principle that all filters are user-configurable. --- README.md | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/README.md b/README.md index abf8222..67d4fbf 100644 --- a/README.md +++ b/README.md @@ -455,6 +455,81 @@ project owner. - Configurable RPC endpoint - Future: USD value display (and other fiat currencies) +### Address Poisoning and Fake Token Transfer Attacks + +During development, one of our test addresses +(`0x66133E8ea0f5D1d612D2502a968757D1048c214a`) sent 0.005 ETH to +`0xC3c693Ae04BaD5f13C45885C1e85a9557798f37E`. Within seconds, a fraudulent +transaction appeared in the address's token transfer history +(`0x85215772ed26ea8b39c2b3b18779030487efbe0b5fd7e882592b2f62b837be84`) showing a +0.005 "ETH" transfer from our address to +`0xC3C0AEA127c575B9FFD03BF11C6a878e8979c37F` — a scam address whose first four +characters (`0xC3C0`) visually resemble the legitimate recipient (`0xC3c6`). + +**How it works:** A scammer deploys a malicious ERC-20 contract (in this case, +`0xD05339f9Ea5ab9d9F03B9d57F671d2abD1F55c82`, a fake token calling itself +"Ethereum" with symbol "ETH" and zero holders). This contract has a function +that emits an ERC-20 `Transfer(from, to, amount)` event with arbitrary +parameters. The EVM does not enforce that the `from` address in a Transfer event +actually initiated or authorized the transfer — any contract can emit any event +with any parameters. The scammer calls their contract, which emits a Transfer +event claiming the victim sent tokens to the scam address. Every blockchain +indexer (Blockscout, Etherscan, etc.) sees a valid Transfer event log and +indexes it as a real token transfer. + +**The attack has two goals:** + +1. **Autocomplete poisoning**: Wallets that offer address autocomplete based on + transaction history will suggest the scam address (which looks similar to a + legitimate recent recipient) when the user starts typing. The user copies the + wrong address and sends real funds to the scammer. + +2. **Transaction history confusion**: The fake transfer appears in the victim's + history as an outbound transaction, making it look like the user sent funds + to the scam address. Users who copy-paste addresses from their own + transaction history may grab the wrong one. + +**What AutistMask does about it:** + +- **Minimal, careful truncation**: Where space constraints require truncation + (e.g. the transaction history list), AutistMask truncates conservatively — + displaying enough characters that generating a vanity address matching the + visible portion is computationally infeasible. All confirmation screens + (transaction signing, send confirmation) display the complete untruncated + address. Users should always verify the full address on the confirmation + screen before signing or sending. + +- **Known token symbol verification**: AutistMask ships a hardcoded list of the + top 250 ERC-20 tokens with their legitimate contract addresses and symbols. + Any token transfer claiming a symbol from this list (e.g. "ETH", "USDT", + "USDC") but originating from an unrecognized contract address is identified as + a spoof and filtered from display. The fake "Ethereum" token in the attack + above used symbol "ETH" from contract + `0xD05339f9Ea5ab9d9F03B9d57F671d2abD1F55c82`, which does not match the known + WETH contract — so it would be caught by this check. + +- **Low-holder token filtering**: Token transfers from ERC-20 contracts with + fewer than 1,000 holders are hidden from transaction history by default. + Legitimate tokens have substantial holder counts; poisoning tokens typically + have zero. This catches new poisoning contracts that use novel symbols not in + the known token list. + +- **Fraud contract blocklist**: AutistMask maintains a local list of known fraud + contract addresses. Token transfers involving these contracts are filtered + from the transaction history display. The list is populated when a fraudulent + transfer is detected and persists across sessions. + +- **Send-side token filtering**: Tokens with fewer than 1,000 holders are + excluded from the token selector on the send screen. This prevents users from + accidentally interacting with a spoofed token that appeared in their balance + via a fake Transfer event. + +- **User-configurable**: All of the above filters (known symbol verification, + low-holder threshold, fraud contract blocklist) are settings that default to + on but can be individually disabled by the user. AutistMask is designed as a + sharp tool — users who understand the risks can configure the wallet to show + everything unfiltered, unix-style. + ### Non-Goals - Token swaps (use a DEX in the browser)