GM, Tim here,

Ethereum transactions are soaring — but scams seem to be driving the surge.

On January 16, daily transactions hit an all-time high of more than 2.8 million, according to data from BitInfoCharts. The same day, new Ethereum addresses created in the past 30 days topped 12.6 million, the highest rolling 30-day total ever, according to Etherscan. 

The record-breaking transaction bump, however, was mostly caused by a mass address poisoning attack, according to research by Andrey Sergeenkov, an independent journalist, and reviewed by blockchain security experts.

“Mass address poisoning attacks are a persistent issue, and it's getting worse,” Gonçalo Magalhães, head of security at Immunefi, a crypto bug bounty and security platform, told me. 

Address poisoning attacks are a type of crypto scam where attackers send tiny amounts of crypto from a lookalike address to a victim's wallet. 

The goal is to trick the victim into mistakenly sending funds to that address believing it's legitimate. It relies on clunky user interfaces, a lack of warnings, and carelessness on the part of the victim. 

Such attacks are like spam phishing emails — low cost and low success rate, but if just one or two of the thousands of people targeted fall for them then it’s worth it for the attacker.

The losses inflicted by address poisoning attacks can be enormous. Last month, a crypto user lost $50 million after falling victim to one, according to Scam Sniffer, a crypto security platform. 

“Over the past seven days alone, we’ve been detecting more than one million address poisoning preparations per day on Ethereum, underscoring the scale at which these campaigns are currently operating,” Michael Pearl, a vice president at crypto security firm Cyvers, told me.

Ethereum’s December Fusaka upgrade has helped reduce the cost of transactions, scaling the blockchain to more users and opening up new use cases.

But it’s a double-edged sword. 

The increased bandwidth also means mass address poisoning attacks have become much cheaper for scammers to pull off. 

Additionally, Magalhães said, recent Ethereum user experience upgrades, such as those enabling account abstraction, have made it easier for users to inadvertently sign a transaction they don’t fully understand.

So, what can be done to combat such attacks? Stop Ethereum users falling for them.

Just as services like Google’s Gmail scan email attachments for viruses and warn users of attacks, crypto wallets also need to provide warnings to stop users falling for address poisoning. 

“Wallets need to clearly convey intent and surface risk,” Magalhães said. “We also need more adoption of naming systems like ENS, because human-readable identifiers make lookalike address attacks harder.”

Some wallets already include features to help users avoid address poisoning. 

Rabby, for example, warns users if they’ve never interacted with an address before when sending funds, assesses potential transactions for suspicious activity, and flags phishing-related transfers in a user’s transaction history.

But until more wallets adopt these features, crypto users will have to remain extra vigilant.

Top DeFi stories of the week 🤖 

Latest from DL Research

This week in DeFi governance ⚖️ 

VOTE: Lido DAO decides whether to reform its Rewards Share Committee

PROPOSAL: Debate on Optimism’s OP buyback plan continues ahead of January 22 vote

VOTE: Aave DAO votes on deploying Aave v3 to the Mantle blockchain

Post of the week 💥

Gold continues to outperform most major crypto assets, hitting an all-time high of over $4,725 on Tuesday.

Got a tip about DeFi? Reach out at [email protected]

DL News is an independent news organisation that provides original, in-depth reporting on the largely misunderstood world of cryptocurrency and decentralised finance. From original stories to investigations, our journalism is accurate, honest and responsible.

Forwarded by a friend? Subscribe here.