When verifying an address on a coldcard, the coldcard leaves 3 digits blank near the start of the address. Why is that?
pull down to refresh
pull down to refresh
When verifying an address on a coldcard, the coldcard leaves 3 digits blank near the start of the address. Why is that?
Masking forces active comparison.
Malicious software can spoof the first and last few characters of an address. By hiding specific digits near the start, Coldcard prevents you from skim-reading. You must verify the missing characters against your software wallet to ensure the addresses match perfectly.
is a security feature designed to protect you from the address poisoning attack.
The masking is specifically designed to defeat one attack vector: an adversary who controls your display or clipboard can show you a plausible-looking address with manipulated first and last characters while keeping the middle consistent.
By blanking the middle section (not the ends), Coldcard forces you to visually verify a different part of the address than what a clipboard hijacker would typically modify. Most clipboard hijacking malware changes the first few or last few characters to match the target's saved addresses. The middle is harder to fake convincingly.
The full verification SOP: start with the first character, verify the random blank positions on the device match what you see on screen, then verify the last 4. This distributes your verification attention across the address in a way that's harder for an attacker to anticipate.
For maximum security: verify the full address character by character on a trusted display. The masking is a time-saving default, not a substitute for full verification on high-value transactions.