-
-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address poisoning attack: Label zero value transactions in TX detail #7278
Comments
Thorough analysis of the attack: https://www.reddit.com/r/TREZOR/comments/z8msk1/comment/iyd01ha/ Key takeaway how this attack is plausible
|
Good thread on this topic: https://twitter.com/tayvano_/status/1605801004141727745 |
How to reproduce the attack: https://www.reddit.com/r/CryptoScams/comments/zcnj34/comment/izctwyb/ |
@sime here are a couple of variations for the warning message bar:
For the tool tip (ideal max length 140 characters), how about:
|
@cavigneron I like this:
For the tooltip I suggest:
|
@sime Top dollar! |
I checked the code and have some questions: We could also make the condition more specific (Ethereum and EVM-compatible blockchains only, possibly also mainnet only), what do you think @sime? |
I don't have we examples handy, but the attack could go in both directions. I agree making the logic specific for EVM chains. Please note, this should be sharable with mobile later. |
The logic is sharable via My point is that if we include received transactions as well, there is nothing EVM specific, e.g. someone might attack you by sending you 0 ETH or 0 BTC. And even if we warn with every zero-value transaction, this attack can still be performed very cheaply with some dust. So we cannot cover all cases anyway and it could lead to some false positives. |
Currently the condition for getting marked as phishy is also having tokens, so it wouldn't be showing up for BTC, for example. |
QA OK Info:
|
Shoudn't we block copying the address from the tx history? It is blurred but I can copy that… @sime |
Background
One type of scam is that anyone can send a transaction from any address with 0 amount without the private keys. Attackers will send the 0 amount to the address, which is almost the same as the address of e.g. Binance. The user won't realize it as the beginning and the end of these addresses look the same. User will then just copy the address from TX history and send funds to that (wrong) address.
Proposed changes
Label zero value transactions from the TX list and detail as scammy.
Concepts
Tooltip and red banner to contain link to KB article
The text was updated successfully, but these errors were encountered: