Address poisoning attack: Label zero value transactions in TX detail

[Hannsek]

Background

One type of scam is that anyone can send a transaction from any address with 0 amount without the private keys. Attackers will send the 0 amount to the address, which is almost the same as the address of e.g. Binance. The user won't realize it as the beginning and the end of these addresses look the same. User will then just copy the address from TX history and send funds to that (wrong) address.

Proposed changes

Label zero value transactions from the TX list and detail as scammy.

Concepts

Tooltip and red banner to contain link to KB article

[sime]

Thorough analysis of the attack: https://www.reddit.com/r/TREZOR/comments/z8msk1/comment/iyd01ha/

Key takeaway how this attack is plausible

You might think they can not send anything from the wallet address to their scam address because they do not control the private keys of the wallet, but this is not entirely accurate. The TransferFrom method of ERC20/BEP20 tokens allows any address to send funds from any other address as long as the amount doesn’t exceed the allowance given, but in this case since the amount is 0 it doesn’t exceed the allowance which by default is 0.

[sime]

Good thread on this topic: https://twitter.com/tayvano_/status/1605801004141727745

[sime]

How to reproduce the attack: https://www.reddit.com/r/CryptoScams/comments/zcnj34/comment/izctwyb/

[cavigneron]

@sime here are a couple of variations for the warning message bar:

• Proceed with caution. This may be a fraudulent transaction. Read more here.
• Beware! This may be a scam transaction. More here.
• Caution! Potential fraud. Review this info before continuing.

For the tool tip (ideal max length 140 characters), how about:

• Suspicious address alert! Verify before sending. Learn more about potential scam here. (86 characters)
• Address poisoning alert! This address looks suspicious. Check and confirm the address before sending. Read more about this potential scam here. (143 characters)

[sime]

@cavigneron I like this:

• Proceed with caution. This may be a fraudulent transaction. Read more here.

For the tooltip I suggest:

• Address poisoning alert! This transaction looks suspicious. Learn more.

[cavigneron]

@sime Top dollar!

[komret]

I checked the code and have some questions:
The warning is currently shown for both received and sent transactions. However, the typical form of the attack is sending zero amount transactions from your address. Shouldn't we limit the warning to sent transactions only? If we include received transactions, this problem is not specific to EVM tokens and seems too broad to handle this way.

We could also make the condition more specific (Ethereum and EVM-compatible blockchains only, possibly also mainnet only), what do you think @sime?

[sime]

I don't have we examples handy, but the attack could go in both directions.

I agree making the logic specific for EVM chains. Please note, this should be sharable with mobile later.

[komret]

The logic is sharable via suite-common.

My point is that if we include received transactions as well, there is nothing EVM specific, e.g. someone might attack you by sending you 0 ETH or 0 BTC. And even if we warn with every zero-value transaction, this attack can still be performed very cheaply with some dust. So we cannot cover all cases anyway and it could lead to some false positives.

[dahaca]

Currently the condition for getting marked as phishy is also having tokens, so it wouldn't be showing up for BTC, for example.
Also we have to bear in mind that we are speaking about the token transfer within a transaction, and they could have different types. In the scam transactions the wrapper transaction is not receive nor send since your address is not a part of it. However, the tokens transferred as a part of that transaction could be both send to and from your address.
Regardless of how this particular scam works, 0 value TXs seem suspicious anyways IMO :D

[bosomt]

QA OK

Info:

• Suite version: desktop 23.2.0 (4c8e4dc)
• Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) TrezorSuite/23.2.0 Chrome/104.0.5112.124 Electron/20.3.5 Safari/537.36
• OS: MacIntel
• Screen: 1440x900
• Device: model T 2.5.4 Universal (revision ab65b18b07170c8a9e4f1506620af988d678453b)
• Transport: bridge 2.0.32

[Hannsek]

Shoudn't we block copying the address from the tx history? It is blurred but I can copy that… @sime