Document address poisoning attack and AutistMask defenses in README
Some checks failed
check / check (push) Has been cancelled
Some checks failed
check / check (push) Has been cancelled
Detail the specific attack observed against our test address: a fake ERC-20 contract emitting spoofed Transfer events to plant a look-alike scam address in transaction history. Document all planned defenses: known token symbol verification, low-holder filtering, fraud contract blocklist, send-side filtering, and the principle that all filters are user-configurable.
This commit is contained in:
75
README.md
75
README.md
@@ -455,6 +455,81 @@ project owner.
|
|||||||
- Configurable RPC endpoint
|
- Configurable RPC endpoint
|
||||||
- Future: USD value display (and other fiat currencies)
|
- Future: USD value display (and other fiat currencies)
|
||||||
|
|
||||||
|
### Address Poisoning and Fake Token Transfer Attacks
|
||||||
|
|
||||||
|
During development, one of our test addresses
|
||||||
|
(`0x66133E8ea0f5D1d612D2502a968757D1048c214a`) sent 0.005 ETH to
|
||||||
|
`0xC3c693Ae04BaD5f13C45885C1e85a9557798f37E`. Within seconds, a fraudulent
|
||||||
|
transaction appeared in the address's token transfer history
|
||||||
|
(`0x85215772ed26ea8b39c2b3b18779030487efbe0b5fd7e882592b2f62b837be84`) showing a
|
||||||
|
0.005 "ETH" transfer from our address to
|
||||||
|
`0xC3C0AEA127c575B9FFD03BF11C6a878e8979c37F` — a scam address whose first four
|
||||||
|
characters (`0xC3C0`) visually resemble the legitimate recipient (`0xC3c6`).
|
||||||
|
|
||||||
|
**How it works:** A scammer deploys a malicious ERC-20 contract (in this case,
|
||||||
|
`0xD05339f9Ea5ab9d9F03B9d57F671d2abD1F55c82`, a fake token calling itself
|
||||||
|
"Ethereum" with symbol "ETH" and zero holders). This contract has a function
|
||||||
|
that emits an ERC-20 `Transfer(from, to, amount)` event with arbitrary
|
||||||
|
parameters. The EVM does not enforce that the `from` address in a Transfer event
|
||||||
|
actually initiated or authorized the transfer — any contract can emit any event
|
||||||
|
with any parameters. The scammer calls their contract, which emits a Transfer
|
||||||
|
event claiming the victim sent tokens to the scam address. Every blockchain
|
||||||
|
indexer (Blockscout, Etherscan, etc.) sees a valid Transfer event log and
|
||||||
|
indexes it as a real token transfer.
|
||||||
|
|
||||||
|
**The attack has two goals:**
|
||||||
|
|
||||||
|
1. **Autocomplete poisoning**: Wallets that offer address autocomplete based on
|
||||||
|
transaction history will suggest the scam address (which looks similar to a
|
||||||
|
legitimate recent recipient) when the user starts typing. The user copies the
|
||||||
|
wrong address and sends real funds to the scammer.
|
||||||
|
|
||||||
|
2. **Transaction history confusion**: The fake transfer appears in the victim's
|
||||||
|
history as an outbound transaction, making it look like the user sent funds
|
||||||
|
to the scam address. Users who copy-paste addresses from their own
|
||||||
|
transaction history may grab the wrong one.
|
||||||
|
|
||||||
|
**What AutistMask does about it:**
|
||||||
|
|
||||||
|
- **Minimal, careful truncation**: Where space constraints require truncation
|
||||||
|
(e.g. the transaction history list), AutistMask truncates conservatively —
|
||||||
|
displaying enough characters that generating a vanity address matching the
|
||||||
|
visible portion is computationally infeasible. All confirmation screens
|
||||||
|
(transaction signing, send confirmation) display the complete untruncated
|
||||||
|
address. Users should always verify the full address on the confirmation
|
||||||
|
screen before signing or sending.
|
||||||
|
|
||||||
|
- **Known token symbol verification**: AutistMask ships a hardcoded list of the
|
||||||
|
top 250 ERC-20 tokens with their legitimate contract addresses and symbols.
|
||||||
|
Any token transfer claiming a symbol from this list (e.g. "ETH", "USDT",
|
||||||
|
"USDC") but originating from an unrecognized contract address is identified as
|
||||||
|
a spoof and filtered from display. The fake "Ethereum" token in the attack
|
||||||
|
above used symbol "ETH" from contract
|
||||||
|
`0xD05339f9Ea5ab9d9F03B9d57F671d2abD1F55c82`, which does not match the known
|
||||||
|
WETH contract — so it would be caught by this check.
|
||||||
|
|
||||||
|
- **Low-holder token filtering**: Token transfers from ERC-20 contracts with
|
||||||
|
fewer than 1,000 holders are hidden from transaction history by default.
|
||||||
|
Legitimate tokens have substantial holder counts; poisoning tokens typically
|
||||||
|
have zero. This catches new poisoning contracts that use novel symbols not in
|
||||||
|
the known token list.
|
||||||
|
|
||||||
|
- **Fraud contract blocklist**: AutistMask maintains a local list of known fraud
|
||||||
|
contract addresses. Token transfers involving these contracts are filtered
|
||||||
|
from the transaction history display. The list is populated when a fraudulent
|
||||||
|
transfer is detected and persists across sessions.
|
||||||
|
|
||||||
|
- **Send-side token filtering**: Tokens with fewer than 1,000 holders are
|
||||||
|
excluded from the token selector on the send screen. This prevents users from
|
||||||
|
accidentally interacting with a spoofed token that appeared in their balance
|
||||||
|
via a fake Transfer event.
|
||||||
|
|
||||||
|
- **User-configurable**: All of the above filters (known symbol verification,
|
||||||
|
low-holder threshold, fraud contract blocklist) are settings that default to
|
||||||
|
on but can be individually disabled by the user. AutistMask is designed as a
|
||||||
|
sharp tool — users who understand the risks can configure the wallet to show
|
||||||
|
everything unfiltered, unix-style.
|
||||||
|
|
||||||
### Non-Goals
|
### Non-Goals
|
||||||
|
|
||||||
- Token swaps (use a DEX in the browser)
|
- Token swaps (use a DEX in the browser)
|
||||||
|
|||||||
Reference in New Issue
Block a user