Description
Discord Discussion Link
No response
What browsers are you seeing the problem on?
Chrome
What were you trying to do?
We have designed and conducted experiments to test whether Taho wallet is vulnerable to address poisoning attacks by simulating the attack against a victim address under our control.
What did not work?
The primary security guarantee that this issue breaks is users’ trust in the transactions displayed on Taho Wallet. Users rely on the transaction history in the "activity" tab to verify past transactions and confirm recipient addresses before sending funds. However, Taho Wallet shortens the addresses in the displayed transaction, which forces the user to rely on the prefix and suffix of an address to differentiate Ethereum addresses. By displaying phishing transactions sent from a “look-alike” address in the "activity" tab, the wallet exposes users to the following risks:
- Attackers can generate “look-alike” addresses easily to impersonate a legitimate address that the victims have a previous transaction.
- By sending different phishing transactions from the “look-alike” address (e.g., zero-value, dust-value, and fake-token), attackers can easily poison the victim’s transaction history in the "activity" tab.
- When victims decide to send funds to the same legitimate address, they can mistakenly copy the “look-alike” phishing address from the phishing transactions displayed in the “activity”, resulting in financial losses.
We observed that Taho Wallet displayed zero-ETH,dust-ETH and fake-ETH transfers sent by the ‘look-alike’ address S’, which poses a high risk to the victim and leads the victim to believe that S’ is S. The victim could copy S’ and transfer funds to it, resulting in significant financial loss.
Please find our complete report in the attachment
Taho Wallet Report.pdf
Version
v0.63.1