Last year, Etherscan admitted a big problem with how it labels token transfers, namely that ‘From’ labels are easy to spoof.
Spoofing is when someone disguises a sender’s information to fool victims into believing that they’re interacting with a trusted source. Spoofed ERC-20 token transfers look similar to legitimate ones, with names and symbols that look identical to their legitimate counterparts. However, they involve a completely different token.
Often, the contract address and the date on which the token was first minted are the only ways to distinguish between the real and spoof transfer.
A common tactic adopted by scammers is to promise an airdrop and then disappear with victims’ ETH once they’ve purchased the fake token. Besides stealing ETH, scammers can use spoof tokens to redirect investors to phishing sites and steal funds after they authorize access to their MetaMask.
In other cases, traders will tag an address belonging to a whale or influencer whom they believe can be trusted. Falling for the spoof, these traders will notice that the address seemingly participates in a transaction involving a brand-new token. These traders might buy that token thinking it might be up-and-coming and subsequently lose all their money.
In addition, it’s possible to spam Etherscan’s token transfer section using fake or worthless token transfers to drown out any attempt to read a wallet’s legitimate activities.
“Any arbitrary address to be the sender”
To be clear, spoofers can make almost any wallet on Etherscan appear to have sent a token, even if its owner didn’t make a transfer. As Harith Kamarul wrote on Etherscan’s own blog, “The ERC-20 standard transfer and ‘transferFrom’ functions can be modified to allow any arbitrary address to be the sender of tokens, as long as this is specified within the smart contract, resulting in a token being transferred from a different address than the one that initiated the transaction.”
Etherscan recommends savvy researchers verify token transfers by inspecting information associated with the transaction hash. In a typical spoof, the ‘From’ address that appears to have initiated the transaction will not be the same as the actual ‘From’ address for the token transfer.
Etherscan flags some of the most obvious spoofs
Etherscan has been trying to clean up spoofing and spam. For instance, there’s at least one token that Etherscan now recognizes as a fake zkSync token. The spoofers behind it used the ‘transferFrom’ function to try to fool people into thinking Vitalik Buterin had received and sent that token.
Etherscan has also added a public name tag to addresses used by verified dApps that often send legitimate bulk token transfers.
Etherscan is also working on a Token Ignore List, which can hide ERC-20, ERC-721, and ERC-1155 transfers and balances. Users can also opt into ignoring any tokens that Etherscan has flagged as suspicious or fake.
Etherscan is still unable to entirely prevent spoofed token transfers from displaying on Ethereum’s most popular block explorer. Indeed, avoiding spoofing requires a closer inspection of each transaction hash to verify token transfers that appear to come from well-known influencers like whales or even Buterin himself.