This study systematically evaluates the usability and security of 53 mainstream Ethereum wallets against address poisoning attacks—a novel phishing technique that forges visually similar transaction records to deceive users into sending funds to malicious addresses. Employing a novel simulation-based attack framework integrated with on-chain transaction analysis, the work quantitatively assesses wallet performance across three dimensions: transaction history rendering, filtering of fraudulent transfers, and risk notification efficacy. Results reveal critical vulnerabilities: 12 wallets exhibit communication failures; 16 display forged transactions without mitigation; only 3 provide explicit, actionable warnings—demonstrating a widespread lack of robust defenses. The study establishes the first benchmark for evaluating wallet resilience to address poisoning, identifies multiple high-risk design flaws, and directly catalyzed security upgrades in several leading wallets, thereby significantly advancing industry-wide defense capabilities against this emerging threat.

Blockchain address poisoning is an emerging phishing attack that crafts "similar-looking" transfer records in the victim's transaction history, which aims to deceive victims and lure them into mistakenly transferring funds to the attacker. Recent works have shown that millions of Ethereum users were targeted and lost over 100 million US dollars. Ethereum crypto wallets, serving users in browsing transaction history and initiating transactions to transfer funds, play a central role in deploying countermeasures to mitigate the address poisoning attack. However, whether they have done so remains an open question. To fill the research void, in this paper, we design experiments to simulate address poisoning attacks and systematically evaluate the usability and security of 53 popular Ethereum crypto wallets. Our evaluation shows that there exist communication failures between 12 wallets and their transaction activity provider, which renders them unable to download the users' transaction history. Besides, our evaluation also shows that 16 wallets pose a high risk to their users due to displaying fake token phishing transfers. Moreover, our further analysis suggests that most wallets rely on transaction activity providers to filter out phishing transfers. However, their phishing detection capability varies. Finally, we found that only three wallets throw an explicit warning message when users attempt to transfer to the phishing address, implying a significant gap within the broader Ethereum crypto wallet community in protecting users from address poisoning attacks. Overall, our work shows that more efforts are needed by the Ethereum crypto wallet developer community to achieve the highest usability and security standard. Our bug reports have been acknowledged by the developer community, who are currently developing mitigation solutions.