Preventing Address Poisoning In Komodo Wallet

Address poisoning (a.k.a. address poisoning attack) is a type of scam that targets users of any cryptocurrency wallet. A scammer will try to "poison" your cryptocurrency address by sending a tiny amount of crypto (i.e. BNB, MATIC, USDC). Sometimes the scammer will even send an NFT. Sometimes, the scammer's address might have similar characters to your crypto address.

The purpose of this scam is to trick you into thinking that you were the sender of this transaction. The scammer’s hope is that you will look at your transaction history and copy/paste their address from the poisoned transaction instead of an address you own.

Key Takeaways

• Understanding Address Poisoning: Address poisoning is a scam where a tiny amount of crypto is sent to your wallet from an address that mimics your own, hoping to trick you into copying and pasting the scammer’s address for future transactions.
• Komodo Wallet's Mitigation: Komodo Wallet now includes a hotfix to filter out near-zero transactions for EVM-based coins and tokens, reducing the risk of falling victim to address poisoning.
• Best Practices to Avoid Scams: Always avoid copying and pasting wallet addresses from your transaction history. Instead, navigate to the appropriate section in your wallet to find the correct address for transactions.
• Double-Check Your Addresses: To prevent losing funds, verify that every character of the address you’re sending to or receiving from matches exactly. Even a single mismatched character could result in irreversible loss of funds.

How Does Address Poisoning Work?

Address poisoning works by exploiting the way users typically copy and paste cryptocurrency addresses from their transaction history.

Scammers send a tiny amount of cryptocurrency or an NFT from an address that closely resembles your own, often matching a few characters at the beginning or end. This "poisoned" address then appears in your transaction history, making it easy to mistakenly copy and paste the scammer's address in future transactions.

Since blockchain transactions are irreversible, any funds sent to the scammer’s address are permanently lost. The scam relies on users being inattentive, making it crucial to double-check addresses before making any transactions.

Types of Address Poisoning Attacks Explained

Address poisoning attacks can be classified into a few distinct types, each with its own method of deceiving users. Here are the main types:

Address Mimicry

The scammer sends a small amount of cryptocurrency from an address that looks almost identical to the victim's address, hoping the user will mistakenly copy this fake address for future transactions.

Address Spoofing

In this type, the scammer creates an address that closely resembles a legitimate one by altering a few characters, making it difficult to detect the difference.

Transaction History Manipulation

Scammers poison the transaction history by sending small amounts of crypto, making their address appear frequently in the list, increasing the chances of it being copied in the future.

Sybil-Based Address Poisoning

A more complex form of address poisoning where the attacker creates multiple fake addresses or identities to flood the network, increasing the likelihood of one of these addresses being copied by mistake.

These types vary in complexity, but they all aim to exploit users' reliance on transaction history for copying addresses, leading to potential loss of funds.

How Komodo Wallet Mitigates Address Poisoning Attacks

We have recently implemented a hotfix to help mitigate the threat of address poisoning. Near-zero amounts for EVM-based coins and tokens will now have the option to be filtered out in your Komodo Wallet transaction history.

This update is now live in all of Komodo Wallet GUI releases (web, mobile, and desktop).

How to Avoid Address Poisoning Attacks on Komodo Wallet

While no one can stop a scammer from poisoning your crypto addresses, there are a few ways you can avoid losing funds and becoming a victim of this scam.

• Receiving crypto with Komodo Wallet: DO NOT copy/paste your wallet deposit address from your transaction history. Instead, find your address by following the steps below.

Note that the example here shows how to find a Litecoin (LTC) address via Komodo Wallet (web). The process is the same regardless of GUI or crypto you are using.

1. Go to the "Wallet" tab.

2. Tap on a cryptocurrency from the list.

3. Tap the “Receive” button.

4. Tap on the clipboard icon or scan the QR code to copy the address.

FAQ

Why is address poisoning so common in crypto?

As a general rule, address poisoning is a numbers game. This means scammers will target as many crypto wallets as possible and usually send small amounts of crypto to increase their odds of fooling someone. However, one notable exception is crypto addresses that hold larger amounts of funds.

Because most blockchains have public block explorers that show real-time crypto balances, it’s possible that some scammers will send larger amounts of crypto to addresses that have larger existing balances. Address poisoning filters on most wallets won’t necessarily detect and filter out these transactions.

What happens if I accidentally send funds to a poisoned address?

If you accidentally send funds to a poisoned address, the transaction is irreversible, and the funds are permanently lost. Blockchain transactions are immutable, meaning once a transaction is confirmed, it cannot be undone or reversed. Since the scammer owns the poisoned address, they will gain control of the funds you sent. Unfortunately, there is no way to recover the funds.

What is the best strategy for preventing address poisoning?

The best strategy for preventing address poisoning is to avoid copying and pasting cryptocurrency addresses from your transaction history. Instead, always navigate directly to the wallet's "Receive" section to retrieve your address.

Additionally, you should carefully verify every character of an address before sending any funds to ensure it matches the intended recipient's address exactly. Often, address poisoning attacks will use an address that matches a few characters at the start and end of the address, so at a glance it looks the same. Even if just one character doesn’t match, you will be sending funds to an address you don’t own.

There is always the possibility that the scammer has poisoned the addresses in your external wallet as well. Before sending your cryptocurrency to an external wallet, always check the crypto address within that application.

Using wallets that offer features like address filtering or flagging near-zero transactions, such as Komodo Wallet, can also help mitigate the risk of address poisoning.

What is address poisoning, and is it related to a phishing attack?

Address poisoning is a type of scam where a small amount of cryptocurrency is sent to your wallet from an address that closely resembles your own. The goal is to trick you into copying this fake address from your transaction history and using it in future transactions, leading to the loss of your funds.

While it is a different kind of attack, address poisoning shares similarities with phishing attacks in that both aim to deceive you into providing sensitive information or making erroneous transactions. However, phishing typically involves impersonating trusted entities to steal login credentials or private keys, whereas address poisoning focuses on tricking you into using a fraudulent address.