Trezor Suite Schwachstelle Erc 20 (Spam-Adressen)
- Dieses Thema hat 15 Antworten sowie 1 Teilnehmer und wurde zuletzt vor vor 1 Jahr, 7 Monaten von
aktualisiert.
-
Beiträge
-
-
Hallo, ich möchte die Trezor Suite Sicherheitslücke teilen. Zunächst habe ich eine Testtransaktion im ERC20-Netzwerk für eine 20$-Börsengeldbörse (die niedrigste) durchgeführt. Das Geld ist angekommen. Die Transaktion wird als ausgehend angezeigt. Danach, eine Minute später, erschien eine weitere Spam-Transaktion, ebenfalls als ausgehend getarnt (aber ohne Provision), bei der die ersten 5 und die letzten 4 Zeichen der Wallet-Adresse übereinstimmten. Dorthin habe ich mein Geld geschickt. Der Betrüger hat bereits $ 160.000 gesammelt)
Ich hoffe, dass dies für jemanden nützlich ist. Wir zahlen teuer für Fehler.
-
-
This is not a Trezor vulnerability its just spam. Just like you get in your Gmail. That’s why you never copy and paste the „last transaction“ in your history as it could have been one of the spam ones.
I do agree Trezor can do something to highlight these as potential spam transactions like Etherscan is doing now.
-
People, stop being toxic to this guy, he lost a lot of money ffs.
As for
> where the first 5 and last 4 characters of the wallet address matched
Would you share the spam address and the real one with us? It’s not recommended due to privacy issues, but wider community would benefit from this
Also it’s worth contacting Trezor support – they may implement some countermeasures in the future after all
-
-
-
OP, sorry for your loss
Future readers, here is the applicable note in the manual
> The most important step in avoiding this type of scam is to thoroughly verify and double-check the address before confirming the transaction on your Trezor. This is crucial for all transactions, but especially when sending assets of significant value. The only way to ensure safety is to carefully check every character of the address.
– ***[The Manual](https://trezor.io/support/a/address-poisoning-attacks)***
-
-
-
OP, could you share some more details about or clarify what happened? What do you mean by, „After it, a minute later, another spam transaction appeared“? Are you saying you saw another transaction on your Trezor to confirm having the same first and last characters as the transaction you’d recently confirmed?
FWIW, I don’t think it makes any sense to ridicule or debase people for making mistakes. And tech companies should anticipate mistakes and improve their products by compensating for them (like cars‘ annoying beeping if drivers forget to engage their seat-belts…). The objective ought to be making crypto safe for everybody, not gloating over others‘ losses due to mistakes.
-
This is scam is called „Address Poisoning Attacks“. They are very common.
You should NEVER copy a dest address from a previous transfer you did and that you see on a blockchain explorer, because the transfer you see may in fact be a fake / scam transfer using address poisoning.
This has nothing to do with Trezor. This scam targets any transfer done using any wallet.
However, if Trezor tools show your Tx’s on the blockchain, they should definitely hide or flag those fake Tx’s made on your account.
-
-
-
-
-
-
- Du musst angemeldet sein, um auf dieses Thema antworten zu können.