XNS
Back to Blog
XNSSecurityEthereumPayments

Your 0x Address Is a Liability

How an XNS name protects you from address poisoning.

rip-ens.xnsApr 6, 20267 min read

A recent Etherscan report shows that address poisoning are rising on Ethereum, as attackers are increasingly automating these campaigns and running them at scale.

In an address poisoning attack, attackers insert lookalike addresses into your transaction history, hoping you’ll copy the wrong one the next time you send funds. This has already led to millions in losses.

Here are two out of many examples:

  • Victim lost $600k: link
  • Victim lost $50m: link

Example: How users lose funds due to address poisoning

Consider a scenario where Alice wants to send Bob $50k. A common process looks like this:

  • Bob copies his wallet address and shares it with Alice (e.g. via Telegram)
  • Alice pastes it into her wallet
  • To be safe, she sends a small test transaction
  • She checks Etherscan and confirms with Bob that the test transaction was successful
  • Then she copies the address from the transaction history in Etherscan to send the full amount

That last step is where things break. If an attacker inserted a lookalike address into Alice’s history, she may copy the wrong one, and the funds are gone.

The following example demonstrates how 13 poison transfers were inserted within minutes of a legitimate USDT transfer. Notice how similar many of the injected addresses in the "To" field appear, making it easy to mistake them for the correct one.

Alice and Bob example

The core problem

The root issue lies in the format of Ethereum addresses. They are 42-character hexadecimal strings that look like this:

0x9AdEFeb576dcF52F5220709c1B267d89d5208D78

They are impossible to remember and impractical to verify visually. As a result, users rely on copy-paste.

The problem is further amplified by common wallet and block explorer patterns:

  • They often truncate addresses (e.g. 0x9AdE…8D78), making it even easier for lookalike addresses to go unnoticed.
  • They typically do not implement filters to hide or flag injected poison transactions, allowing fraudulent transfers to blend seamlessly into history (see this example).

The solution: Use human-readable names instead of addresses

Instead of sending funds to:

0x9AdEFeb576dcF52F5220709c1B267d89d5208D78

You send to:

bob.og

That changes the interaction fundamentally.

  • No copy-paste required
  • You can remember the name
  • You can type it directly
  • You send to something you recognize, not something you hope is correct

This is exactly what XNS enables: a simple way to assign a human-readable name to your address and use it for payments.

Sending crypto using an XNS name

Let’s revisit the earlier example using a human-readable name:

  • Bob shares his name: bob.og
  • Alice enters bob.og in the dedicated x2xPay.me payments app
  • She sends a small test transaction
  • She confirms receipt with Bob
  • She sends the remaining amount to bob.og

No 0x addresses. No copying from transaction history. No opportunity for a poisoned address to slip in.

Alice and Bob example

A name is not just for you — it’s for others

There’s an overlooked responsibility here: When you share a raw 0x address, you expose the sender to risk. Everyone who relies on copying your address is a target for an address poisoning attack.

By using an XNS name, you give others a safer way to pay you and a better user experience.

Why XNS

XNS is built with a single goal in mind: making payments on Ethereum simple and safe.

Unlike competing naming systems such as ENS, XNS is designed purely for utility, not speculation.

XNS follows a simple principle: your name should function like a bank account number.

  • Permanent: Your name never expires and cannot be reassigned, eliminating the risk of silent reroute of incoming payments
  • Non-transferable: No speculation, no reselling, no squatting
  • Cheap: Names start at ~0.001 ETH (~$2), not hundreds of dollars
  • Utility-first: Built for sending and receiving funds, not trading names

Start protecting yourself

To start protecting yourself:

  1. Go to x2xpay.me (register tab)
  2. Register an XNS name
  3. Share your name instead of your 0x address next time you want to get paid

Senders simply enter your name in the x2xPay app, and it resolves automatically to the correct address.

Final thought

Address poisoning works because users are forced to rely on copy-paste. Be smart. Use a human-readable XNS name to protect yourself and others.

Want to get an XNS name?

Register a Name