Ethereum address poisoning spike, ‘wallets aren’t ready’ says researcher

On December 3, the Ethereum network executed the Fusaka upgrade which had one focus: “scaling without compromise.”

Gas fees, once a major impediment to Ethereum’s usability for all but those with the deepest of pockets, plummeted sharply, with transfers and swaps costing just a few cents per transaction.

Cheap transactions don’t just benefit regular users, however. 

Indeed, the increased affordability of long-running address poisoning campaigns has seen losses, as well as activity, skyrocket since Fusaka.

Protos spoke to Andrey Sergeenkov, an independent researcher analysing address poisoning on Ethereum, who believes that “the wallets aren’t ready, and the protocol keeps scaling anyway.”

Cheap gas, a boon for users and scammers alike

In an article published last month, Sergeenkov identified a six-fold reduction in gas costs resulting in an almost identical increase in the volume of address poisoning, from an average of 30,000 to 167,000 per day (5.6x).

The surge in transactions has, unsurprisingly, been accompanied by increased losses.

Sergeenkov tracked dust transactions of 101 tokens and identified “confirmed payoffs” over 73-day windows before and after Fusaka.

The value of funds stolen increased from $4.9 million pre-Fukasa to $63.3 million in the period after the upgrade.

He also observed a “2.6-fold increase in [the number of] successful payoff events.”

Even subtracting the largest post-Fusaka loss, a $50 million outlier just before Christmas, the total is “still $13.3M, a 2.7-fold increase over the pre-Fusaka rate.”

Sergeenkov told Protos that, since the end of the dataset used in his most recent article, there have been a number of significant losses. The top three of these were a $600,000 loss on February 17, a $157,000 loss the following day, a $30,000 loss on February 28.

In all, he identified almost $900,000 in losses from 91 victims between those discussed in his article and his response to Protos on March 9.

Adjusting for the recent losses, and ignoring the outlier, brings the average amount stolen per day to 2.1x that of the pre-Fusaka rate. 

“The attack volume hasn’t slowed either,” he says, and is still picking up “200,000–350,000 poisoning transactions per day.”

While the individual transactions themselves may be cheap, the potential rewards justify splashing large sums on casting as wide a net as possible.

Read more: Copy, Paste, Rekt: Ethereum address poisoning strikes again

‘Scaling without compromise’

Ethereum’s efforts to reduce gas costs have been overwhelmingly successful.

First, demand was pushed onto cheaper, faster Layer Two (L2) networks, lowering activity on mainnet.

Though the advances in scaling (which don’t look to be slowing down) mean, in the words of Vitalik Buterin, that the “original vision of L2s and their role in Ethereum no longer makes sense.”

Later, the introductions of blobs (which did away with the ETH’s deflationary, “ultra sound” narrative) and the Fusaka upgrade, have seen the cost of gas mimic the chart of a classic DeFi slow-rug project.

Read more: Your L2 transaction fees are higher because of MEV spam, report

Sergeenkov notes that, despite a known link between low fees and attack volume, the upgrade “went ahead anyway.”

He says the “Ethereum Foundation has not proposed or implemented any protocol-level countermeasure” and Buterin “places user protection entirely at the wallet and UX layer.”

However, Sergeenkov points to research which claims that, of 53 wallets studied, only three “throw an explicit warning message” to users before transferring to address poisoning addresses.

According to Namefi CEO, Z. Victor Zhou, one potential solution is using leading zeros, making lookalike addresses much more costly and time-consuming for attackers to generate.

“One minute of your laptop’s GPU time creates an address that would cost an attacker 32 years to fake,” he claims. “The asymmetry is staggering.”

Emergent threats

Address poisoning isn’t the only attack vector which benefits from low gas costs.

Security researcher Daniel Von Fange notes that cheap gas makes for complex attack transactions which render “only the tiniest smidge of money” profitable.

“Spectacularly wasteful” MEV activity was seen to offset scaling improvements on L2 networks, negating any gas savings for regular users while looking to profit off their activity.

Other malicious behaviours can also be borne out of well-meaning upgrades.

“The system produces new attack vectors structurally, with each change to the protocol,” Sergeenkov says.

One example is EIP-7702, which brought wallet delegation capability. Wintermute research later found that 80% of addresses using the code were linked to malicious activity.

Does Sergeenkov have an antidote?

In terms of staying safe, Sergeenkov says “never copy addresses from your transaction history or a block explorer.” He also advises against making transfers if suffering from “lack of sleep, illness or anything else.”

But he has little faith that advice or educating users will be able to keep up with such “numerous and easily adaptable” attack vectors.

“What’s needed is a fundamentally different environment where users don’t have to learn how to avoid losing all their money from a single mistake. Where the risk-reward of an attack rules it out by itself.”

Got a tip? Send us an email securely via Protos Leaks. For more informed news and investigations, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.