Ethereum Crypto Wallets under Address Poisoning: How Usable and Secure Are They?

TL;DR

This study systematically evaluates the usability and security of 53 popular Ethereum wallets against address poisoning attacks, revealing significant vulnerabilities and gaps in phishing detection and user warnings.

Contribution

It provides the first comprehensive assessment of Ethereum wallets' defenses against address poisoning, highlighting critical security flaws and areas for improvement.

Findings

12 wallets cannot download transaction history due to communication failures.

16 wallets display fake token phishing transfers, posing high risks.

Only 3 wallets warn users about phishing addresses during transfers.

Abstract

Blockchain address poisoning is an emerging phishing attack that crafts "similar-looking" transfer records in the victim's transaction history, which aims to deceive victims and lure them into mistakenly transferring funds to the attacker. Recent works have shown that millions of Ethereum users were targeted and lost over 100 million US dollars. Ethereum crypto wallets, serving users in browsing transaction history and initiating transactions to transfer funds, play a central role in deploying countermeasures to mitigate the address poisoning attack. However, whether they have done so remains an open question. To fill the research void, in this paper, we design experiments to simulate address poisoning attacks and systematically evaluate the usability and security of 53 popular Ethereum crypto wallets. Our evaluation shows that there exist communication failures between 12 wallets and their transaction activity provider, which renders them unable to download the users' transaction history. Besides, our evaluation also shows that 16 wallets pose a high risk to their users due to displaying fake token phishing transfers. Moreover, our further analysis suggests that most wallets rely on transaction activity providers to filter out phishing transfers. However, their phishing detection capability varies. Finally, we found that only three wallets throw an explicit warning message when users attempt to transfer to the phishing address, implying a significant gap within the broader Ethereum crypto wallet community in protecting users from address poisoning attacks. Overall, our work shows that more efforts are needed by the Ethereum crypto wallet developer community to achieve the highest usability and security standard. Our bug reports have been acknowledged by the developer community, who are currently developing mitigation solutions.