Project Overview: Solana Account Dusting & Address Poisoning Analysis

Executive Summary

This research project, "Shikiga," investigates the prevalence and characteristics of account dusting and address poisoning attacks within the Solana blockchain ecosystem. By analyzing on-chain data and transaction patterns, we identified systematic attempts to manipulate user behavior through small-value transfers designed to trick recipients into interacting with malicious addresses. Our findings reveal sophisticated attack vectors that exploit user interface limitations and human psychology to facilitate theft of digital assets. This report details our methodology, data sources, and key insights that can help protect users and inform wallet developers about critical security considerations.

Introduction

Account dusting and address poisoning represent significant threats to blockchain users, particularly on networks with low transaction costs like Solana. These attacks leverage the inherent pseudonymity of blockchain addresses combined with user interface design patterns to create opportunities for asset theft.

The Shikiga project examines these attack patterns through rigorous data analysis to understand their scope, methods, and potential mitigations.

Account dusting involves sending minimal amounts of cryptocurrency to many addresses to break privacy by linking addresses together. Address poisoning, a more malicious variant, consists of creating addresses visually similar to legitimate addresses and sending small amounts to establish a transaction history, hoping recipients will mistakenly copy the attacker's address in future transactions.

Research Objectives

1. Quantify the prevalence of account dusting and address poisoning on Solana.

2. Identify common patterns and characteristics of malicious transactions.

3. Analyze temporal trends in attack methodologies.

4. Develop detection methods for potentially malicious activity.

5. Propose mitigation strategies for wallet developers and users.

Methodology

Our research approach combined on-chain data analysis with pattern recognition techniques to identify suspicious transaction activity. The methodology consisted of several interconnected phases:

Data Collection

We leveraged the Flipside Crypto data platform to access comprehensive Solana blockchain data. Our primary datasets included:

• Complete transaction history from the Solana mainnet.

• Token transfer events focusing on SOL and popular SPL tokens.

• Wallet address creation and interaction patterns.

• Historical transaction values and frequency distributions.

Data was collected through SQL queries to the Flipside Crypto database, with special attention to low-value transfers (under 0.01 SOL) and addresses with similar prefix/suffix patterns to known addresses.

Pattern Analysis

We developed several heuristics to identify potential dusting and poisoning attempts:

1. Transfer Value Analysis: Identified transactions with minimal economic value but requiring gas fees disproportionate to the transfer amount.

2. Address Similarity Scoring: Created algorithms to detect addresses with high visual similarity to previously interacted-with addresses.

3. Transaction Frequency Mapping: Analyzed addresses sending small amounts to hundreds or thousands of unique wallets.

4. Temporal Clustering: Identified bursts of similar low-value transactions occurring within short timeframes.

Classification Framework

Based on the identified patterns, we developed a classification framework to categorize transactions as:

• Legitimate small transfers (e.g., rebates, micro-payments).

• Likely privacy-breaking dust attacks.

• Probable address poisoning attempts.

• High-confidence malicious activity.

This classification utilized machine learning techniques, including clustering and anomaly detection, to improve accuracy.

Data Sources

Our analysis draws primarily from the following data sources:

1. Flipside Crypto: Provided comprehensive access to Solana blockchain data through their SQL query engine, enabling advanced analysis of transaction patterns.

2. Solana Block Explorers: Solscan and Solana Explorer were used to verify specific transactions and provide context for identified patterns.

3. DeFi Protocol APIs: Integrated data from major Solana DeFi protocols to distinguish legitimate protocol interactions from suspicious activities.

4. Community Reports: Incorporated documented cases of scams and phishing attempts from community forums and security bulletins.

Key Research Findings

Prevalence and Scale

Our analysis revealed widespread account dusting and address poisoning activity across the Solana ecosystem:

• Over 3.4 million distinct addresses have received at least one transaction matching our dusting criteria.

• Approximately 124,000 addresses exhibit strong signals of being used for address poisoning.

• The average dust amount sent was 0.00058 SOL, intentionally below attention thresholds.

• Peak activity periods correlated with high network usage and elevated SOL prices.

Attack Sophistication

The research uncovered increasingly sophisticated attack methodologies:

1. Targeted Selection: Attackers preferentially target addresses that have recently interacted with popular DeFi protocols or NFT marketplaces.

2. Mimicry Techniques: Address poisoning attempts showed evidence of algorithmic generation to maximize visual similarity with victim addresses.

3. Timing Optimization: Attacks frequently occurred shortly after legitimate high-value transactions, when users might be expected to conduct follow-up transactions.

4. Multi-Chain Coordination: Evidence suggested coordinated attacks across multiple blockchains using similar techniques.

User Interface Vulnerabilities

Our findings highlighted critical vulnerabilities in how wallet interfaces display transaction histories:

• Abbreviated address displays (showing only the first/last few characters) create perfect conditions for poisoning attacks.

• Transaction history interfaces rarely distinguish between incoming and outgoing transactions clearly.

• Copy-paste functionality in many wallets lacks verification prompts for address similarity.

• Mobile interfaces are particularly vulnerable due to screen size constraints.

Economic Analysis

The economic patterns behind these attacks revealed their operational structure:

• The total investment in dusting campaigns exceeded 780 SOL (approximately $39,000 at the time of analysis).

• Successful attacks yielded an estimated return-on-investment exceeding 1,200%.

• Attack infrastructure costs (including address generation and transaction fees) showed economies of scale.

• Evidence of professional operation suggested organized groups rather than individual attackers.

Impact Assessment

The research identified several significant impacts of these attack vectors:

1. Direct Financial Losses: Confirmed cases of successful address poisoning resulted in estimated losses exceeding $5.2 million across the analyzed timeframe.

2. Trust Erosion: Increased prevalence of such attacks contributes to reduced confidence in self-custody solutions.

3. Behavioral Changes: Users exposed to dusting become more hesitant to transact, potentially reducing overall ecosystem activity.

4. Privacy Implications: Successful dusting compromises the pseudonymity properties of blockchain interactions.

Recommendations

Based on our findings, we propose several recommendations for different stakeholders:

For Wallet Developers

1. Implement visual differentiation between sending and receiving addresses in transaction histories.

2. Add address similarity warnings when users attempt to copy addresses from transaction histories.

3. Develop "safe recipient" lists with visual verification to prevent address confusion.

4. Consider alternative address display methods beyond simple truncation.

For Users

1. Maintain separate addresses for high-value holdings and routine transactions.

2. Always verify the complete address when sending transactions, not just the abbreviated display.

3. Use bookmarked or saved addresses for common destinations.

4. Treat any unexpected incoming transaction as potentially suspicious.

For Ecosystem Participants

1. Support the development of improved address standards with built-in error detection.

2. Encourage the adoption of human-readable addressing systems as secondary verification.

3. Develop cross-platform standards for transaction history display.

4. Establish community alert systems for emerging attack patterns.

Conclusion

Account dusting and address poisoning represent sophisticated attack vectors that exploit the intersection of blockchain design, user interface limitations, and human psychology. Our research demonstrates that these attacks are widespread on Solana and continue to evolve in complexity and targeting precision.

Unfortunately, the low transaction costs that make Solana attractive for legitimate use cases also lower the barrier for malicious actors to conduct wide-scale dusting campaigns. As the ecosystem continues to grow, addressing these security challenges will require coordinated efforts across wallet developers, education initiatives, and potentially protocol-level innovations.

By quantifying the scope of the problem and identifying specific attack patterns, this research aims to contribute to developing more robust defenses against these threats, ultimately improving the security posture of the entire Solana ecosystem.

Resources

Detection API: https://GitHub.com/DavidNzube101/Shikiga

Flipside Dashboard: https://flipsidecrypto.xyz/Litoshi/account-dusting-address-poisoning-6zmIuw