I was working with a crypto exchange where I came to know about this issue that can be exploited to scam people. The attacker can convince the victim that he has sent some ERC20 token to an address with same name and ticker symbol. The token will be fake not the one which is expected by the victim. What can be done in such cases to verify if you have received the legit ERC20 toke and its not fake?
- Open transaction details in some block explorer like etherscan
- Open CMC and check the link to etherscan contract address link
- The contract address mentioned in the transaction details should match with this official contract address
Example: 0x9992ec3cf6a55b00978cddf2b27bc6882d88d1ec for POLY
You can also check other details like :
- Value of token sent mentioned in USD in round brackets
- Transfers section with details of transaction associated with the token
- Market Cap, Supply etc.
This is not just the case with Ethereum tokens but few other chains allow creation of similar tokens and newbies can be scammed if they do not verify the token details.
I have few more questions which maybe someone who is researching more about Ethereum can answer:
- In this case we are trusting the data mentioned on CMC or other third party websites to get the link to official smart contract address
- Also trusting block explorers like etherscan and they show few details from CMC as well
- Average Joe do not run Ethereum nodes, even if someone does it will just help to avoid other block explorers
- One more source of information can be the official website and community links of the associated project
What if one or more parties mentioned above which are trusted to verify the details are involved in the scam or plan to exit scam at some point ?