What is an Address Poisoning Attack?

Reading Time: 2 minutes
  • The crypto community has been shocked by a $70 million loss due to a WBTC address poisoning attack
  • Address poisoning targets users by sending tiny amounts to wallets, exploiting trust in transaction history
  • Users should bookmark addresses and ensure they correctly match during transactions

The cryptocurrency community was stunned last week when news broke of a WBTC holder losing around $70 million in holdings after falling victim to a poisoning attack. This type of attack has been around for a while, but this is the biggest known hack relating to it. So what is a poisoning attack, and how can you guard against it? Let’s find out.

How Attackers “Poison” You

An address poisoning attack refers to a technique where an attacker sends a tiny amount of cryptocurrency to a user’s wallet address to “poison” or alter its transaction history. This attack leverages the fact that many users rely on transaction history to identify trusted addresses. 

The attack begins when a small amount of cryptocurrency is sent to the holder’s wallet using an address that looks similar to a frequently used one or an address they control. The idea behind this is that the holder might confuse it with the legitimate one, particularly if they don’t closely inspect the addresses during future transactions. This is something that many of us are guilty of, typically checking the first 5-6 figures only.

Bookmark Your Addresses

The attack pays off when the victim sends funds by copying and pasting what they think is their address but is in fact the fraudulent one. The attacker, of course, has no idea to what extent, or even if at all, they will get lucky, and in the case of the weekend’s attack, they won’t have believed their luck—1,155 WBTC were sent to the illicit address.

The way to prevent falling victim to address poisoning attacks seems obvious, and it is: bookmark your typically used addresses, only use them from this trusted place and ensure that what you paste into your browser or wallet app matches the record in your bookmarks.