Multiple Safe Wallets Lose $2 Million to Address Poisoning Attacks

Overview

In recent days, ScamSniffer has monitored multiple cases of Safe wallets falling victim to address poisoning attacks. These users inadvertently copied wrong addresses from contaminated transaction histories and transferred assets to these wrong addresses, causing huge financial losses.

By analyzing the data on the chain, about 10 Safe wallets have lost $2.05 million in the past week. The attacker associated with it has stolen $5.05 million from 21 victims in the past four months.

Theft of Safe Wallets

4 days ago, we found this case after regular follow-ups with an “address poisoning” attacker.

In this stolen case, Florence Finance transferred 1.45 million from his Safe wallet into an address that was contaminated in his transfer history 0xb087269de7ba93d0db2e12ff164d60f0b3675870.

The attacker used a contaminated address generated by create2 and quickly converted it to a DAI to prevent it from being frozen after receiving the asset.

Previously, SlowMist shared with us a similar create2 case in which the attacker stole $1.66 million in assets from a victim, and we found more cases of this attacker.

Unicode

By analyzing the attacker’s fake transfers, we can see that the symbols of the fake tokens show up as USDC, but are Unicode. This could have been used to bypass some of the filtering detection of the fake token.

How did this happen?

We tried to open the victim’s Safe Wallet, and then we saw that the transfer of the contaminated transaction was located on the “History” page of the transaction.

The UI in the transfer history shows only the last four digits, which makes it look like the address of the most recent transfer is the same, but it’s not.

The victim likely copied the contaminated address from here.

More Victims

After analyzing several other stolen transactions by this attacker, we found that the victims of the recent 5 were using Safe wallets.

“Lucky” Victims

One of the victims 0x46cb414113c545161c17b156ceeb8a0d7e85bf9b, the wallet held 10 million dollars in assets, but “luckily” only lost 400 thousand dollars.

Can’t imagine if he was going to transfer more money…

Theft Statistics

Through on-chain data analysis, we have found 5 other Safe Wallet victims. As of today, about 10 Safe wallets have lost $2.05 million in the past week.

The attacker associated with them has stolen $5.05 million from 21 victims in the past 4 months.

View More: https://dune.com/scamsniffer/address-poisoning-attack

Top Victims:

Stolen Funds

After sharing these cases with MistTrack, they found most of the profiting assets were transferred to different BTC addresses in the same way through Thorchain. Money laundering in exactly the same way.

How Can We Improve The Security?

The Explorer like Etherscan currently displays the last 8 digits of addresses and includes security reminders to prevent users from copying to incorrect addresses.

Wallets like Rabby provide reminders for first-time transfers to new addresses.

If you have a built-in fake token filter, try supporting this potential bypass that utilizes Unicode.

All of these may reduce the probability of a user getting hit, but more importantly, as users we have to have better habits.

• Don’t rely on history
• Don’t copy addresses from history
• Always remember to do cross-validation.

Finally, hope you stay safe!

About Scam Sniffer

Scam Sniffer is an anti-scam platform that combines off-chain and on-chain monitoring data to provide real-time anti-scam protection for web3 users.

We’ve helped well-known platforms protect their users and are committed to making web3 secure for the next billion users.