Crypto users need to protect themselves against a wide range of potential scams and attacks.  A new threat revealed by MetaMask called “address poisoning” is designed to exploit how addresses are displayed on many sites.

The Risks of Shortened Addresses

Blockchain addresses are random values that are commonly displayed as an alphanumeric string.  These addresses commonly range from 25 to 40 characters in length, making memorization impossible for the average person.

To improve the user experience, some crypto sites will only show a few characters from the beginning and end of an address on the site.  For example, a site may show the first and last five characters of an address, while skipping the middle 15-30 since it is unlikely that a user will know or recognize them anyway.

The problem with address shorting is that it makes it easier for an attacker to identify an address that has the same shortened form as a user’s address.  Since most blockchains’ addresses are not case-sensitive, there are only 36 possibilities for each character.  An attacker using an address generator would have to try 36^10=3656158440062976 possibilities on average to find a matching address.  While this seems like a lot, it is well within a computer’s capabilities.

How Address Poisoning Attacks Work

An attacker can create an address that has the same shortened version as a user’s legitimate address.  This is significant because, when making a transaction, some users will copy-paste their address from their blockchain transaction history without verifying it.

Address poisoning attacks take advantage of this practice by sending a low-value transaction to the victim from the lookalike address.  When the user copy-pastes the latest address for a later transaction, they send the transaction to the attacker rather than to their own account.

Protecting Against Address Poisoning Attacks

Address poisoning attacks take advantage of the practice of copy-pasting addresses from transaction histories, so the simplest way to avoid this attack is to not do that.  Instead, copy-paste addresses from a reputable source, such as the wallet provider.

Beyond that, it is important to double-check addresses before submitting transactions.  Once the transaction has been added to the blockchain’s ledger, it is immutable and cannot be reversed.

Address poisoning is one of several common scams and attacks in the crypto space.  To learn about what else to watch out for, check out our blog on common crypto scams.

MetaMask Warns of New “Address Poisoning” Crypto Scam
Rob Behnke
01.18.2023