Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address poisoning attack: Label zero value transactions in TX detail #7278

Closed
Hannsek opened this issue Jan 3, 2023 · 12 comments · Fixed by #7391
Closed

Address poisoning attack: Label zero value transactions in TX detail #7278

Hannsek opened this issue Jan 3, 2023 · 12 comments · Fixed by #7391
Assignees
Labels
altcoins not related to bitcoin low hanging fruit Simple, quick task. Doable in 2 hours. transactions Transaction history page

Comments

@Hannsek
Copy link
Contributor

Hannsek commented Jan 3, 2023

Background

One type of scam is that anyone can send a transaction from any address with 0 amount without the private keys. Attackers will send the 0 amount to the address, which is almost the same as the address of e.g. Binance. The user won't realize it as the beginning and the end of these addresses look the same. User will then just copy the address from TX history and send funds to that (wrong) address.

Proposed changes

Label zero value transactions from the TX list and detail as scammy.

Concepts

image (4)

Tooltip and red banner to contain link to KB article

Screenshot 2023-01-13 at 16 51 12

image (5)(1)

@Hannsek Hannsek added transactions Transaction history page low hanging fruit Simple, quick task. Doable in 2 hours. labels Jan 3, 2023
@Hannsek Hannsek changed the title Filter transaction with 0 amount Filter 0 amount transactions from tx history Jan 3, 2023
@Hannsek Hannsek moved this to 🎯 To do in Issues Suite Jan 3, 2023
@Hannsek Hannsek removed the status in Issues Suite Jan 3, 2023
@hynek-jina hynek-jina added the altcoins not related to bitcoin label Jan 3, 2023
@sime
Copy link
Contributor

sime commented Jan 4, 2023

Thorough analysis of the attack: https://www.reddit.com/r/TREZOR/comments/z8msk1/comment/iyd01ha/

Key takeaway how this attack is plausible

You might think they can not send anything from the wallet address to their scam address because they do not control the private keys of the wallet, but this is not entirely accurate. The TransferFrom method of ERC20/BEP20 tokens allows any address to send funds from any other address as long as the amount doesn’t exceed the allowance given, but in this case since the amount is 0 it doesn’t exceed the allowance which by default is 0.

@sime
Copy link
Contributor

sime commented Jan 4, 2023

Good thread on this topic: https://twitter.com/tayvano_/status/1605801004141727745

@sime
Copy link
Contributor

sime commented Jan 4, 2023

@sime sime changed the title Filter 0 amount transactions from tx history Address poisoning attack: Label zero value transactions in TX detail Jan 4, 2023
@sime sime moved this to 🎯 To do in Issues Suite Jan 4, 2023
@hynek-jina hynek-jina moved this from 🎯 To do to 🏃‍♀️ In progress in Issues Suite Jan 5, 2023
@cavigneron
Copy link

cavigneron commented Jan 13, 2023

@sime here are a couple of variations for the warning message bar:

  • Proceed with caution. This may be a fraudulent transaction. Read more here.
  • Beware! This may be a scam transaction. More here.
  • Caution! Potential fraud. Review this info before continuing.

For the tool tip (ideal max length 140 characters), how about:

  • Suspicious address alert! Verify before sending. Learn more about potential scam here. (86 characters)
  • Address poisoning alert! This address looks suspicious. Check and confirm the address before sending. Read more about this potential scam here. (143 characters)

@sime
Copy link
Contributor

sime commented Jan 13, 2023

@cavigneron I like this:

  • Proceed with caution. This may be a fraudulent transaction. Read more here.

For the tooltip I suggest:

  • Address poisoning alert! This transaction looks suspicious. Learn more.

@cavigneron
Copy link

@sime Top dollar!

@komret
Copy link
Contributor

komret commented Jan 17, 2023

I checked the code and have some questions:
The warning is currently shown for both received and sent transactions. However, the typical form of the attack is sending zero amount transactions from your address. Shouldn't we limit the warning to sent transactions only? If we include received transactions, this problem is not specific to EVM tokens and seems too broad to handle this way.

We could also make the condition more specific (Ethereum and EVM-compatible blockchains only, possibly also mainnet only), what do you think @sime?

@sime
Copy link
Contributor

sime commented Jan 17, 2023

I don't have we examples handy, but the attack could go in both directions.

I agree making the logic specific for EVM chains. Please note, this should be sharable with mobile later.

@komret
Copy link
Contributor

komret commented Jan 17, 2023

The logic is sharable via suite-common.

My point is that if we include received transactions as well, there is nothing EVM specific, e.g. someone might attack you by sending you 0 ETH or 0 BTC. And even if we warn with every zero-value transaction, this attack can still be performed very cheaply with some dust. So we cannot cover all cases anyway and it could lead to some false positives.

@dahaca
Copy link
Contributor

dahaca commented Jan 18, 2023

Currently the condition for getting marked as phishy is also having tokens, so it wouldn't be showing up for BTC, for example.
Also we have to bear in mind that we are speaking about the token transfer within a transaction, and they could have different types. In the scam transactions the wrapper transaction is not receive nor send since your address is not a part of it. However, the tokens transferred as a part of that transaction could be both send to and from your address.
Regardless of how this particular scam works, 0 value TXs seem suspicious anyways IMO :D

@github-project-automation github-project-automation bot moved this from 🔎 Needs review to 🤝 Needs QA in Issues Suite Jan 20, 2023
@bosomt
Copy link
Contributor

bosomt commented Jan 23, 2023

QA OK

image

image

Info:

  • Suite version: desktop 23.2.0 (4c8e4dc)
  • Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) TrezorSuite/23.2.0 Chrome/104.0.5112.124 Electron/20.3.5 Safari/537.36
  • OS: MacIntel
  • Screen: 1440x900
  • Device: model T 2.5.4 Universal (revision ab65b18b07170c8a9e4f1506620af988d678453b)
  • Transport: bridge 2.0.32

@bosomt bosomt moved this from 🤝 Needs QA to ✅ Approved in Issues Suite Jan 23, 2023
@Hannsek
Copy link
Contributor Author

Hannsek commented Feb 15, 2023

Shoudn't we block copying the address from the tx history? It is blurred but I can copy that… @sime

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
altcoins not related to bitcoin low hanging fruit Simple, quick task. Doable in 2 hours. transactions Transaction history page
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

8 participants