Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address poisoning attack: Label unverified token transactions in TX detail #8119

Closed
Tracked by #10779
mkolar242 opened this issue Apr 17, 2023 · 5 comments · Fixed by #10034
Closed
Tracked by #10779

Address poisoning attack: Label unverified token transactions in TX detail #8119

mkolar242 opened this issue Apr 17, 2023 · 5 comments · Fixed by #10034
Assignees
@tomasklim
Labels
EVM Issues related to networks based on Ethereum Virtual Machine feature Product related issue visible for end user
Milestone
Suite Trends H1/2024

Comments

@mkolar242
Copy link

BACKGROUND

Related to #7278

Scammers employ a similar logic to that of zero-value transactions by utilizing unverified tokens that hold no fiat value but still carry a positive number of units in the transaction.

Example of the token: https://etherscan.io/token/0x8744dab2fa43055130a85c70d6b0676a82ae4704
Transaction example: https://etherscan.io/tx/0xfd7788d4ac55a9b1024d39a5d124f9e2012fc2dca197daa10c12e178d50b26ec

PROPOSED CHANGES

  • Check the token contract address against Ethereum definitions
  • If the contract address is not in Ethereum definitions label tx in the tx history
  • Design remains as it is
@sime
Copy link
Member

sime commented Apr 20, 2023

Could be done in combination with #8007

@mnuky mnuky mentioned this issue May 11, 2023
Closed
@Hermez-cz Hermez-cz added EVM Issues related to networks based on Ethereum Virtual Machine ERC20 and removed EVM Issues related to networks based on Ethereum Virtual Machine labels Aug 2, 2023
@sime sime mentioned this issue Oct 4, 2023
Closed
@Hannsek
Copy link
Contributor

Hannsek commented Oct 23, 2023

Restrict copying the address from tx labeled as posioned.

@zaplmi
Copy link

zaplmi commented Oct 26, 2023

An effective and hopfeully simple way to prevent this could be to add a warning reminding users that copying an address from your transaction history is always unsafe. They'd see it every time they copy from their history, with an option to hide it. The same goes for BTC; address re-use isn't any good to anyone. It damages privacy and makes UTXO management confusing.

[etherscan.io] has something like that for dodgy tokens. We could extend this to every copy and paste of addresses in Suite. This way, we don't even have to have a whitelist/blacklist, which would be imperfect anyway.

proposal:

image

example from Etherscan:

image

@Hannsek
Copy link
Contributor

Hannsek commented Nov 20, 2023
edited by tomasklim
Loading

recap:

  • check the token contract address against ethereum definitions
  • if the contract address is not in ethereum definitions label tx in the tx history
  • restrict copying the address from the tx history and also from tx detail
  • if one tx will contain not-scammy and scammy tokens, do not label the transaction as scammy, but follow the previous point for the scammy address –> restrict copying this address

@tomasklim tomasklim mentioned this issue Nov 22, 2023
Merged
@AdamSchinzel AdamSchinzel added EVM Issues related to networks based on Ethereum Virtual Machine and removed ERC20 labels Jan 23, 2024
@tomasklim tomasklim added this to the Suite Trends milestone Jan 23, 2024
@AdamSchinzel AdamSchinzel mentioned this issue Jan 24, 2024
Closed
@tomasklim tomasklim added the feature Product related issue visible for end user label Jan 24, 2024
@bosomt
Copy link
Contributor

bosomt commented Feb 7, 2024

QA OK

Info:

  • Suite version: web 24.2.0 (d0e9a1c)
  • Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
  • OS: MacIntel
  • Screen: 1915x1244
  • Device: Trezor T2B1 2.6.4 regular (revision 42e9ed0e09033d474dee1a560fe5870646fa440e)
  • Transport: BridgeTransport 2.0.33

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomasklim tomasklim

Labels
EVM Issues related to networks based on Ethereum Virtual Machine feature Product related issue visible for end user
Projects
Issues Suite
Archived in project
Milestone
Suite Trends H1/2024
Development

Successfully merging a pull request may close this issue.

EVM poisoning vol. 2 trezor/trezor-suite
8 participants
@sime @bosomt @tomasklim @mkolar242 @Hannsek @AdamSchinzel @Hermez-cz @zaplmi