Address poisoning (a.k.a. address poisoning attack) is a type of scam that targets users of any cryptocurrency wallet. A scammer will try to "poison" your cryptocurrency address by sending a tiny amount of crypto (i.e. BNB, MATIC, USDC). Sometimes the scammer will even send an NFT. Sometimes, the scammer's address might have similar characters to your crypto address.
The purpose of this scam is to trick you into thinking that you were the sender of this transaction. The scammer’s hope is that you will look at your transaction history and copy/paste their address from the poisoned transaction instead of an address you own.
How Komodo Wallet Mitigates Address Poisoning Attacks
We have recently implemented a hotfix to help mitigate the threat of address poisoning. Near-zero amounts for EVM-based coins and tokens will now have the option to be filtered out in your Komodo Wallet transaction history.
This update is now live in all of Komodo Wallet GUI releases (web, mobile, and desktop).
Best Practices on How to Avoid Address Poisoning Attacks
While no one can stop a scammer from poisoning your crypto addresses, there are a few ways you can avoid losing funds and becoming a victim of this scam.
- Receiving crypto with Komodo Wallet: DO NOT copy/paste your wallet deposit address from your transaction history. Instead, find your address by following the steps below.
Note that the example here shows how to find a Litecoin (LTC) address via Komodo Wallet (web). The process is the same regardless of GUI or crypto you are using.
1. Go to the "Wallet" tab.
2. Tap on a cryptocurrency from the list.
3. Tap the “Receive” button.
4. Tap on the clipboard icon or scan the QR code to copy the address.
- Sending crypto to an external wallet: DO NOT copy/paste your wallet deposit address from your transaction history. There is always the possibility that the scammer has poisoned the addresses in your external wallet as well. Before sending your cryptocurrency to an external wallet, always check the crypto address within that application. Various applications have different UI navigation, but most use words like “deposit” or “receive”, similar to the Komodo Wallet app.
- As a general rule, address poisoning is a numbers game. This means scammers will target as many crypto wallets as possible and usually send small amounts of crypto to increase their odds of fooling someone. However, one notable exception is crypto addresses that hold larger amounts of funds. Because most blockchains have public block explorers that show real-time crypto balances, it’s possible that some scammers will send larger amounts of crypto to addresses that have larger existing balances. Address poisoning filters on most wallets won’t necessarily detect and filter out these transactions.
- To double-check that your address is correct (regardless of whether you are sending or receiving a transaction) make sure to always navigate to the receiving wallet and verify that every single character in your address matches. Often, address poisoning attacks will use an address that matches a few characters at the start and end of the address, so at a glance it looks the same. Even if just one character doesn’t match, you will be sending funds to an address you don’t own. Since blockchain transactions are immutable and can’t be reversed, sending crypto to an incorrect address or a scammer address will result in the loss of any amount sent.