MetaMask Warns Against Copy-Pasting Crypto Wallet Addresses

Yesterday, the MetaMask team tweeted multiple times to alert users to the growing threat of a scam known as “address poisoning.” Scammers take a wallet address and use the first four alpha-numerical combinations and the last four to generate a new, fraudulent address. Then, to replace the matching address in your transaction history, the newly created fake address sends a $0 transaction. Address poisoning is a cryptographic attack against users who blindly copy and paste addresses into their transaction history without performing a necessary double-check.

How does address poisoning work?

If you didn't know already, your wallet includes one or more accounts, each of which has its cryptographically-generated address. These are long hexadecimal numbers, meaning they use both numerical and (a few) alphabetical characters. Unfortunately, this trait makes them unintelligible to most people and — critically — very difficult to remember. 

This is why supported by most web3 software, you have likely come to rely on copying and pasting addresses rather than memorizing them and typing them out. This saves a lot of time and ensures you don't make any mistakes and that your funds always go to the correct address. MetaMask falls into this category of facilitating copy-and-paste: you can copy your address with one click/tap. 

Address poisoning speculatively exploits this copy-and-paste tendency. Here's how:

1. You send a regular, everyday, nothing-to-see-here transaction to a friend. 
2. The scammer, who has software that monitors transfers of certain tokens (usually stablecoins), notices. They use a 'vanity' address generator (there are many accessible with a quick web search) to create an address that closely matches yours (sometimes, it'll match your friend's).
   Since they're so long, crypto wallet addresses are typically shortened. You might see the first lot of characters only, or sometimes you may see the initial 5-10 or so and the final 5-10 or so, skipping the middle. This is how most people recognize addresses: not by knowing every single character, but by becoming familiar with the start and finish. This is the tendency that address poisoning preys on.
3. The scammer sends a transaction of negligible value from another account to the dummy one they created, that closely matches yours. Usually these are transfers of zero tokens. With this, they've poisoned your wallet. 
4. Since their dummy address looks so similar to yours, it's entirely possible that, the next time you need your address, you might inadvertently copy their address from your transaction history and paste it elsewhere. Naturally, if you paste their address by accident, you'll send funds to them and not yourself. And since on-chain transactions like this are immutable (cannot be altered once confirmed), the lost funds will be irretrievable.

However, a portion of the cryptocurrency community was not pleased with the security update because they believe the largest cryptocurrency wallet provider may have acted too slowly to bring public notice of the issue. Twitter user Tuzun (0xTuzun), who first warned the public about the incident on December 2, 2022, shed light on the attack's specifics and widespread impact on wallets. Since December 2022, over 340,000 addresses have been poisoned, and Tuzun claims that 95 victims' wallets have been stolen, totaling about $1.6 million. The investigation estimates that the attacks cost slightly more than $25,000, indicating a profit margin of over 6,000%.

Tuzun reports that various attackers in the Asian time zone have been exploiting BSC and ETH addresses since the 22nd and 27th of November, 2022, respectively.

Tuzun had used the on-chain monitoring platform Xplore to track down some possible bad actors; he also suggested that MetaMask add color markers to the transaction history so that users could quickly identify wallet addresses. Before sending funds, users were also prompted to verify the wallet address's full alpha-numeric format, not just the first four digits. The poison address scam is the latest in a long line of crypto-related frauds that cost the industry over $3.5 billion in 2017.

MetaMask, to aid victims of cryptocurrency scams, joined forces with Asset Reality in May to create a SaaS tool for recovering stolen digital assets. It's been eight months, but we still don't know how far along either company is in its asset recovery efforts. In addition, MetaMask has not yet responded to the affected users or offered practical compensation plans for losses.