Trezor Suite vulnerability Erc 20 (spam-adresses)

Hello, I would like to share Trezor Suite vulnerability. First, I made a test transaction in the ERC20 network for a $20 exchange wallet (the lowest one). The funds have arrived. The transaction is listed as outgoing. After it, a minute later, another spam transaction appeared, also disguised as outgoing (but without commission), where the first 5 and last 4 characters of the wallet address matched. That's where I sent my money. The scammer has already collected $ 160,000)

I hope it will be useful to someone. We pay dearly for mistakes.

reddit image

15 thoughts on “Trezor Suite vulnerability Erc 20 (spam-adresses)”

  1. This is not a Trezor vulnerability its just spam. Just like you get in your Gmail. That’s why you never copy and paste the “last transaction” in your history as it could have been one of the spam ones.

    I do agree Trezor can do something to highlight these as potential spam transactions like Etherscan is doing now.

  2. OP, sorry for your loss

    Future readers, here is the applicable note in the manual

    > The most important step in avoiding this type of scam is to thoroughly verify and double-check the address before confirming the transaction on your Trezor. This is crucial for all transactions, but especially when sending assets of significant value. The only way to ensure safety is to carefully check every character of the address.

    The Manual

  3. Congratulations, You’ve just learned a hard lesson on what’s called address poisoning. Trezor has no blame in this; prob have forums on how to avoid this. Find some time and read up on this.

  4. It is called “dusting” and can happen on any wallet. You failed to verify your full addresses, sorry for your loss.

  5. People, stop being toxic to this guy, he lost a lot of money ffs.

    As for

    > where the first 5 and last 4 characters of the wallet address matched

    Would you share the spam address and the real one with us? It’s not recommended due to privacy issues, but wider community would benefit from this

    Also it’s worth contacting Trezor support – they may implement some countermeasures in the future after all

  6. I dont get it, test tx arrived.

    There’s new 0 value tx… and you copy paste the address? Isnt that defeat purpose of having the test tx?

  7. i was also scammed now ….sad and completely not to understand how is that possible with TREZOR????

  8. OP, could you share some more details about or clarify what happened? What do you mean by, “After it, a minute later, another spam transaction appeared”? Are you saying you saw another transaction on your Trezor to confirm having the same first and last characters as the transaction you’d recently confirmed?

    FWIW, I don’t think it makes any sense to ridicule or debase people for making mistakes. And tech companies should anticipate mistakes and improve their products by compensating for them (like cars’ annoying beeping if drivers forget to engage their seat-belts…). The objective ought to be making crypto safe for everybody, not gloating over others’ losses due to mistakes.

  9. This is scam is called “Address Poisoning Attacks”. They are very common.

    You should NEVER copy a dest address from a previous transfer you did and that you see on a blockchain explorer, because the transfer you see may in fact be a fake / scam transfer using address poisoning.

    This has nothing to do with Trezor. This scam targets any transfer done using any wallet.

    However, if Trezor tools show your Tx’s on the blockchain, they should definitely hide or flag those fake Tx’s made on your account.

Comments are closed.