| 🌎 | Pittsburgh, PA (mostly) |
| 🕸 | https://www.andrew.cmu.edu/user/nicolasc |
Last week my student Ally Nisenoff published "Exploiting the Shared Storage API" at ACM CCS: https://www.andrew.cmu.edu/user/nicolasc/publications/Nisenoff-CCS25.pdf
3 days later, Google announced they're abandoning Shared Storage:
https://privacysandbox.com/news/update-on-plans-for-privacy-sandbox-technologies/
(Correlation doesn't imply causation. Interesting, though.)
New research alert 🚨 from my group, “Blockchain Address Poisoning” (Tsuchiya et al.), to appear at
@usenixsecurity 2025 (https://arxiv.org/abs/2501.16681)! As a follow-up, we also developed a real-time detection system: https://cryptotrade.cylab.cmu.edu/poisoning/ and
https://x.com/toxin_tagger
Background: Crypto wallet addresses are usually impossible to memorize. As a result, users often select addresses from their recent transaction history, which facilitates phishing-like attacks: blockchain address poisoning.
The attacker generates “lookalike” addresses that resemble the victim’s recipient’s address, engages with the victim to “poison” the transaction history, and fools the victim into sending their assets to the attacker by mistake.
We developed a detection system and performed measurements on two years of ETH and BSC. We identified 13x the number of attack attempts reported previously—in all, 270M on-chain attacks targeting 17M victims. 6,633 incidents have caused at least 83.8M USD in losses.
We discovered a few large attack entities using clustering techniques. Larger groups are vastly profitable and win against smaller attack groups. We uncovered some attack strategies, such as populations they target, success conditions, and cross-chain attacks.
We simulated the lookalike address generation process across various software- and hardware-based implementations. One large attacker group appears to use GPUs for this attack! The paper also discusses some defenses.
TLDR: Address poisoning is a thing.
Paper: https://arxiv.org/abs/2501.16681
Real-time website: https://cryptotrade.cylab.cmu.edu/poisoning/
Real-time twitter bot:
https://x.com/toxin_tagger
(No Mastodon bot yet, soon I hope).
In many blockchains, e.g., Ethereum, Binance Smart Chain (BSC), the primary representation used for wallet addresses is a hardly memorable 40-digit hexadecimal string. As a result, users often select addresses from their recent transaction history, which enables blockchain address poisoning. The adversary first generates lookalike addresses similar to one with which the victim has previously interacted, and then engages with the victim to ``poison'' their transaction history. The goal is to have the victim mistakenly send tokens to the lookalike address, as opposed to the intended recipient. Compared to contemporary studies, this paper provides four notable contributions. First, we develop a detection system and perform measurements over two years on both Ethereum and BSC. We identify 13~times more attack attempts than reported previously -- totaling 270M on-chain attacks targeting 17M victims. 6,633 incidents have caused at least 83.8M USD in losses, which makes blockchain address poisoning one of the largest cryptocurrency phishing schemes observed in the wild. Second, we analyze a few large attack entities using improved clustering techniques, and model attacker profitability and competition. Third, we reveal attack strategies -- targeted populations, success conditions (address similarity, timing), and cross-chain attacks. Fourth, we mathematically define and simulate the lookalike address generation process across various software- and hardware-based implementations, and identify a large-scale attacker group that appears to use GPUs. We also discuss defensive countermeasures.
PSA: If you're using homebrew, and discovered that MAME crashes w/ a Bus Error upon startup after upgrading to Sequoia, 1) update mame.ini so that the line containing gl_lib points to /System/Library/Frameworks/OpenGL.framework/Libraries/libGLVMPlugin.dylib 2) launch w/ DYLD_LIBRARY_PATH="" mame
Details: it's likely that there are some symbol mismatches between some homebrew libraries linked against old OpenGL libs and the new OpenGL shipping with Sequoia. This drove me nuts. So I'm posting this here in hopes people don't waste their time. Oh, and don't ask an LLM, they're clueless.
I am delighted to announce that our paper “Blockchain Amplification Attack” has been accepted to ACM SIGMETRICS. This week, I will be in Stony Brook to present our work! Amazing coauthors: Liyi Zhou, Kaihua Qin, Arthur Gervais, and @nc2y.bsky.social Paper: https://dl.acm.org/doi/10.1145/3711697 TLDR below.
Looking for a home for your great scientific result in fintech that is almost all written up and ready to go? The AFT deadline is in less than 24 hours…
Have you ever been annoyed by some Python code not stopping immediately when you press control-C? It's a common problem in scientific computing because of bugs in many of the compiled-code "extension modules" that accelerate this use of Python.
I gave a talk today at #PyCon about what needs to happen to get those bugs fixed. I'm told a video will be available within a few days, but already you can see my slides and detailed notes at <https://research.owlfolio.org/pubs/2025-pyext-ctrlc-talk/>.
Another one bites the dust! The editorial board of the journal Mathematical Logic Quarterly have resigned en masse, complaining about the publisher, Wiley:
"The managing editors and editors of MLQ believe that the academic editorial process guaranteeing scientific quality control should be entirely in the hands of an editorial team consisting of members of the academic research community that are entirely free from pressure or influence of commercial and profit-oriented interests."
They've started a new journal of mathematical logic that's "diamond open access". This means simply that it's free to publish in and free to read.
Because they're German, they decided to call this new journal Zeitschrift fĂĽr Mathematische Logik und Grundlagen der Mathematik. But they'll forgive you if you call it ZML:
https://blog.tib.eu/2025/04/07/mlq-walk-out/
This move is part of a trend. The Open Access Tracking Project now lists more than 200 articles on such "declarations of independence":
https://tagteam.harvard.edu/hubs/3/tag/oa.declarations_of_independence
If you're on an editorial board, you should want to convert your journal to diamond open access. And there are resources to help you do it:
https://www.openaccess.nl/en/diamond-open-access/resources
https://toolsuite.diamas.org/
There has been an increasing number of resignations by editors of scholarly journals in recent years. In many cases, the editors have criticised the publisher’s excessive influence, especially when the publisher’s presumed goals clash with those of the editors. Today, almost the entire editorial board of yet another journal, MLQ: Mathematical Logic Quarterly, has announced […]
Zack Weinberg
Steven Murdoch
John Carlos Baez