Skip to content

This is the repository for paper "Dissecting Payload-based Transaction Phishing on Ethereum" accepted to NDSS 2025.

Notifications You must be signed in to change notification settings

blocksecteam/PTXPhish

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
 
 
 
 
 
 

Repository files navigation

The dataset of Ethereum payload-based transaction phishing

This is the repository for paper "Dissecting Payload-based Transaction Phishing on Ethereum" accepted to NDSS 2025.

Dataset

Dataset contains the dataset we used in our experiments. Feel free if you have any questions.

Category Target Assets Spread Method Num
Exploiting legitimate contract Ice phishing Approve ERC20 website 1247
Permit ERC20 website 814
SetApproveForAll NFT website 508
NFT order Bulk transfer NFT website 37
Proxy upgrade NFT website 108
Free buy order ERC20 & NFT website 464
Deploying phishing contract Address Poisoning Zero value transfer ERC20 Transaction 104
Fake token transfer ERC20 Transaction 100
Dust value transfer ERC20 Transaction 22
Payable Function Airdrop function ETH Transaction 788
Wallet function ETH Transaction 808
Benign - - - - 13557

The open-source ground-truth dataset is in the ./dataset/PTXPHISH.xlsx

Detection Bot/Rules

Our detection system is published in Forta, and it is free to subsribe.

Description

This bot monitors:

  • Ice-phishing — This is a special phishing attack in which a user is not tricked into disclosing private information but rather into signing an on-chain transaction that gives an attacker control over the user's digital assets. This often involves signing an approval transaction. Once the transaction is signed and incorporated into a block, the attacker can proceed to transfer a user’s digital assets to their own wallet.
  • Nft-order - Seaport is a protocol for trading tokens. Seaport allows users to create offers by merely signing a transaction and not submitting it on-chain (it is structured this way as a gas-saving measure). Traditionally, users think signing a transaction and not submitting it on-chain is a safe operation. This is not the case. In this attack, the scammer tricks the user into signing an offer that offers their digital assets (e.g. a set of NFT) for a value well below market price. The scammer then executes the order on the user's behalf, causing the user to lose their digital assets.
  • Address-poisoning - In this attack, the scammer examines the user's transaction history and submits 0 value transfers to or from the user from an address that looks similar to an address in the user's history. Since the value is 0, it does not require any approvals. The result is that the transaction history for a user's wallet is now poisoned with addresses the attacker controls. A user may accidentally transfer tokens or native assets to those attacker-controlled addresses (some variations of the attack exist where the attacker transfers a small amount instead of 0 amount to the user). This threat category is used for labeling poisoning addresses
  • Payable function — This is similar to ice phishing but does not involve a token contract. Here, the user is simply tricked into signing and submitting an on-chain transaction that transfers assets to the scammer.

Citation

If you use the related dataset or the insights we observed in our paper, please consider citing our paper.

@inproceedings{chen2025dissecting,
    title={Dissecting Payload-based Transaction Phishing on Ethereum},
    author={Chen, Zhuo and Hu, Yufeng and He, Bowen and Luo, Dong and Wu, Lei and Zhou, Yajin},
    booktitle={Network and Distributed Systems Security (NDSS) Symposium},
    year={2025}
}

About

This is the repository for paper "Dissecting Payload-based Transaction Phishing on Ethereum" accepted to NDSS 2025.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •