Document address poisoning attack and AutistMask defenses in README
Some checks failed
check / check (push) Has been cancelled
Some checks failed
check / check (push) Has been cancelled
Detail the specific attack observed against our test address: a fake ERC-20 contract emitting spoofed Transfer events to plant a look-alike scam address in transaction history. Document all planned defenses: known token symbol verification, low-holder filtering, fraud contract blocklist, send-side filtering, and the principle that all filters are user-configurable.
This commit is contained in:
75
README.md
75
README.md
@@ -455,6 +455,81 @@ project owner.
|
||||
- Configurable RPC endpoint
|
||||
- Future: USD value display (and other fiat currencies)
|
||||
|
||||
### Address Poisoning and Fake Token Transfer Attacks
|
||||
|
||||
During development, one of our test addresses
|
||||
(`0x66133E8ea0f5D1d612D2502a968757D1048c214a`) sent 0.005 ETH to
|
||||
`0xC3c693Ae04BaD5f13C45885C1e85a9557798f37E`. Within seconds, a fraudulent
|
||||
transaction appeared in the address's token transfer history
|
||||
(`0x85215772ed26ea8b39c2b3b18779030487efbe0b5fd7e882592b2f62b837be84`) showing a
|
||||
0.005 "ETH" transfer from our address to
|
||||
`0xC3C0AEA127c575B9FFD03BF11C6a878e8979c37F` — a scam address whose first four
|
||||
characters (`0xC3C0`) visually resemble the legitimate recipient (`0xC3c6`).
|
||||
|
||||
**How it works:** A scammer deploys a malicious ERC-20 contract (in this case,
|
||||
`0xD05339f9Ea5ab9d9F03B9d57F671d2abD1F55c82`, a fake token calling itself
|
||||
"Ethereum" with symbol "ETH" and zero holders). This contract has a function
|
||||
that emits an ERC-20 `Transfer(from, to, amount)` event with arbitrary
|
||||
parameters. The EVM does not enforce that the `from` address in a Transfer event
|
||||
actually initiated or authorized the transfer — any contract can emit any event
|
||||
with any parameters. The scammer calls their contract, which emits a Transfer
|
||||
event claiming the victim sent tokens to the scam address. Every blockchain
|
||||
indexer (Blockscout, Etherscan, etc.) sees a valid Transfer event log and
|
||||
indexes it as a real token transfer.
|
||||
|
||||
**The attack has two goals:**
|
||||
|
||||
1. **Autocomplete poisoning**: Wallets that offer address autocomplete based on
|
||||
transaction history will suggest the scam address (which looks similar to a
|
||||
legitimate recent recipient) when the user starts typing. The user copies the
|
||||
wrong address and sends real funds to the scammer.
|
||||
|
||||
2. **Transaction history confusion**: The fake transfer appears in the victim's
|
||||
history as an outbound transaction, making it look like the user sent funds
|
||||
to the scam address. Users who copy-paste addresses from their own
|
||||
transaction history may grab the wrong one.
|
||||
|
||||
**What AutistMask does about it:**
|
||||
|
||||
- **Minimal, careful truncation**: Where space constraints require truncation
|
||||
(e.g. the transaction history list), AutistMask truncates conservatively —
|
||||
displaying enough characters that generating a vanity address matching the
|
||||
visible portion is computationally infeasible. All confirmation screens
|
||||
(transaction signing, send confirmation) display the complete untruncated
|
||||
address. Users should always verify the full address on the confirmation
|
||||
screen before signing or sending.
|
||||
|
||||
- **Known token symbol verification**: AutistMask ships a hardcoded list of the
|
||||
top 250 ERC-20 tokens with their legitimate contract addresses and symbols.
|
||||
Any token transfer claiming a symbol from this list (e.g. "ETH", "USDT",
|
||||
"USDC") but originating from an unrecognized contract address is identified as
|
||||
a spoof and filtered from display. The fake "Ethereum" token in the attack
|
||||
above used symbol "ETH" from contract
|
||||
`0xD05339f9Ea5ab9d9F03B9d57F671d2abD1F55c82`, which does not match the known
|
||||
WETH contract — so it would be caught by this check.
|
||||
|
||||
- **Low-holder token filtering**: Token transfers from ERC-20 contracts with
|
||||
fewer than 1,000 holders are hidden from transaction history by default.
|
||||
Legitimate tokens have substantial holder counts; poisoning tokens typically
|
||||
have zero. This catches new poisoning contracts that use novel symbols not in
|
||||
the known token list.
|
||||
|
||||
- **Fraud contract blocklist**: AutistMask maintains a local list of known fraud
|
||||
contract addresses. Token transfers involving these contracts are filtered
|
||||
from the transaction history display. The list is populated when a fraudulent
|
||||
transfer is detected and persists across sessions.
|
||||
|
||||
- **Send-side token filtering**: Tokens with fewer than 1,000 holders are
|
||||
excluded from the token selector on the send screen. This prevents users from
|
||||
accidentally interacting with a spoofed token that appeared in their balance
|
||||
via a fake Transfer event.
|
||||
|
||||
- **User-configurable**: All of the above filters (known symbol verification,
|
||||
low-holder threshold, fraud contract blocklist) are settings that default to
|
||||
on but can be individually disabled by the user. AutistMask is designed as a
|
||||
sharp tool — users who understand the risks can configure the wallet to show
|
||||
everything unfiltered, unix-style.
|
||||
|
||||
### Non-Goals
|
||||
|
||||
- Token swaps (use a DEX in the browser)
|
||||
|
||||
Reference in New Issue
Block a user