Introduction

In the Web3 space, multi-signature wallets (or 'multisig wallets') like SAFE have become indispensable tools for securely managing funds and executing daily transactions. Recently, at Lemma, we observed a series of suspicious incoming transactions to some of the SAFEs under our management. Upon closer inspection, we discovered that these transactions were part of a sophisticated scam known as 'address poisoning'—a tactic that could have led to significant financial losses if not carefully scrutinized.

In this article we explain how the address poisoning scam works and actions you can take to make your treasury safer.

‍

How does the address poisoning scam work?

1. Initial Transaction:

You send a small amount of USDC, USDT, or ETH to a wallet address—typically as a test transaction before transferring a larger sum.

2. Deceptive Return Transaction:

Minutes or hours later, you receive an incoming transaction with the exact same amount and a currency that appears identical to the one you sent. However, this isn’t the legitimate USDC, USDT, or ETH—it’s a 'fake' token created by the scammer. The name looks right, but the contract address differs, something that's easy to miss at first glance.

3. Illusion of Confirmation:

The scam relies on creating the illusion that your test transaction was confirmed by the recipient.The wallet address used in the fraudulent transaction is nearly identical to the legitimate one, with only minor differences that are hard to spot without close inspection.

4. Risk of Falling for the Scam:

If you're not careful, you might mistakenly believe the fraudulent transaction is a legitimate confirmation. You then copy the scammer's wallet address and send the full amount to them, resulting in a non-reversible loss.

Here are two screenshots that illustrate how the address poisoning scam appears in your SAFE multisig wallet:

1. Initial Test Transaction: We sent 10 USDC to a service provider's wallet address as a routine test transaction.

2. Deceptive Return Transaction: Just a few minutes later, we received a 10 USDC transaction from a wallet address that looks almost identical to the one we initially sent the test transaction to. However, the difference is subtle—only a small portion in the middle of the address (highlighted in red) is different. The beginning and end, which are usually the parts you quickly check to confirm an address, are the same.

Please note that the wallet addresses in the screenshots are for illustrative purposes only and are not in use.

How to Protect Yourself

Use an Address Book:
Most multisig wallets, such as SAFE, offer an address book feature that allows you to label wallet addresses with recognizable names. Instead of copying and pasting wallet addresses, you can search for the vendor's name directly. This adds an extra layer of security, reducing the risk of accidentally sending funds to the wrong address. This feature is supported by nearly all established multisig providers.

Enable Address Whitelisting:
While an address book helps distinguish between wallet addresses, it doesn't prevent you from sending funds to addresses that aren't in the book. Address whitelisting takes security a step further. This feature requires authorized signatories of the multisig wallet to approve an address before any funds can be sent to it. Additionally, you can specify which tokens on which networks are allowed for a given address, providing even more control and protection—like an address book with advanced     security measures. The address whitelisting feature is currently not provided by SAFE and other smart contract based multisig wallets. However, Fireblocks, Utila and Bitgo support it.

How Lemma can help

At Lemma, we work with various multisig wallets daily, including Fireblocks, Utila, and SAFE. If you're looking to set up a secure and efficient multisig for your project but aren't sure which one to choose, we're here to help. We can assist with everything from setup and maintenance to initiating and executing transactions. Even if you just need a contact from one of these multisig providers, feel free to reach out—we're happy to support you!

Conclusion

As Web3 continues to evolve, so do the tactics used by scammers, with address poisoning being one of the latest threats. This scam shows that even the smallest detail in a transaction can make a huge difference in protecting your assets. By staying alert and using features like address books and whitelisting, you can avoid costly mistakes and keep your funds secure.

At Lemma, we're dedicated to helping you navigate these challenges. Whether you need assistance with setting up a multisig wallet or advice on implementing stronger security measures, we're here to help. In this rapidly changing landscape, staying one step ahead is crucial—let's work together to ensure your project remains secure and successful.