Malicious Smart Contracts
It seems like every time a new token, dApp and free claim is announced, lots of people are automatically suspicious, assume it could be scam that drains their wallets if they interact with it and want the founders to prove it’s legit ASAP.
Now, there’s a point to be made: while 99% of contracts aren’t malicious, or at least effective at stealing coins from your wallet unless you really go out of your way to send them money, there is <= 1% of them that are malicious and can get your coins if you don’t look for phishy signs, ignore warnings and just keep clicking buttons “because moon maybe”. If you can read code and learn some basics in Solidity, then you can verify for yourself usually in a few minutes if the claim or mint functions, for example, are up to something obviously malicious (or not!). But if you’re just an end user with no dev experience, there’s still many things you can do to check and try to protect yourself from malicious contracts.
For starters, Etherscan does flag them when they have reports or otherwise information about bad activity going on, such as with the UniswapLP malicious contract, but oftentimes it’s too late like with everything else.
Warning! There are reports that this contract was used in a Phishing scam. Please exercise caution when interacting with this contract .
But what other signs can we look for to identify malicious contracts, phishing or otherwise signal that its a setup? Let’s dive in!
What does the Badness look and feel like?
There are many different ways that bad actors abuse various contracts and features in the crypto and DeFi ecosystem. This article can be used as a reference point for understanding them at a high-level, but we’ll dive a little deeper into a few of the more interesting attack scenarios.
Approval contracts
These let you grant access to others for certain tokens you own
May also manifest in the form of “sign this transaction” where you are tricked to Permit a malicious contract to spend unlimited USDC or otherwise
Ice phishing is where the attacker swaps the legitimate spender address for their own, so you approve them to spend your coins instead of the legit contract
OpenSea users were affected by this phishing and approval attack
“.... you’ll see that the website URL you’re signing with is uniswap.org on the left, and unLswap.org on the right. If you didn’t catch that easily-overlooked detail and signed the contract, sorry, but you just lost all of the USDC in your wallet.”
ERC-20 Honeypot
Smart contracts / tokens that look vulnerable to being exploited to try and trick would-be attackers into sending funds to it, but only the contract creator can access the funds
May also refer to tokens that “cannot be sold”, see notes on sell limits on tokens a little further down
“Send me 1 ETH and I’ll send you 2 ETH back” says the honeypot contract, but the code only appears to work this way, in reality it does not fulfill this promise
There’s some great resources where you can deep dive into honeypots such as this video and this demo video (for educational purposes) which is fascinating
See this code from the referenced conference video and their tool to detect honeypots
Liquidity Pool Rug-pulls
Malicious LP makes some tokens, provides liquidity and once it meets a threshold as enough people have bought in, sells it down and removes liquidity
See this article on How Liquidity Pools Work
Deposit contracts / “Front runner bot”
These are scams that ask you to fund a contract that will go make good trades for you, but in reality whatever you send to the contract will just be sent to the scammer’s address
Couple good references to look into these are here and here, but most have been removed from youtube (but not vimeo!) and github already, so the code is harder to get a hold of to study and learn the bad patterns
This recent scam has even been pointed out by Richard Heart himself, warning people that this content is marketing itself as a legitimate, harmless tutorial for how to make a bot, but actually just lures you into sending them a bunch of Ethereum, as you can see ~5m mark, “you can fund the trac by however much Ether you want, but the more you put in the more transactions you’ll be able to front run and the more profit you’ll be able to make“…. clever, but nasty.
Limits on selling the token
Code contains limits on which addresses can sell the token or a huge fee placed on any sells orders (which of course goes to the bad actor) OR it blacklists common DEXes like Uniswap or PancakeSwap so you can’t sell it on there
See this article and also this one for more info and again this demo video
Frontend Compromised (interacting with a malicious dApp)
This could occur through someone actually hacking the server and inserting malicious code in the website OR via DNS Hijacking or DNS Cache Poisioning (sometimes called in the modern day DNS Spoofing)
The Curve.Fi “hack” this year appears to be an attack poisioning DNS records and making the website point to a malicious website clone where users then interact with a malicious dApp
See this article for details and Protections sections below for ways to protect yourself and this video
Most of the time, the attack isn’t just one piece. Outside of crypto, an example would be phishing. Sending an email that you believe to be legit isn’t enough. Phishing isn’t where you open an email and you’re hacked, that’s an actual exploit and one of that magnitude is extremely rare in the modern day. It takes reconnaissance on an organization or target person or even stealing or using data leaks to get the email addresses of people that would be relevant targets for such a campaign in the first place. So in crypto, a phishing attack may be combined with asking the user to, once they believe its a real email from OpenSea for example, they interact with a bad contract or reconfigure their Metamask in a way that enables funds to be stolen or locked in some way.
Whenever you are doing a Metamask transaction, getting prompted for an approval or otherwise doing anything in a browser with crypto, read what it says and ask yourself if it makes sense. When in doubt, simply reject the transaction, go research more about what you’re being asked to do or participate in and then decide to go forward or not. Don’t be paralyzed into never doing free claims, but also don’t just be flippant with your virtual bank account.
This is an excellent resource for even more crypto security things to be aware of.
How to protect yourself
Don’t fall for emails or messages asking you to update your password, send your coins somewhere or links to websites that ask you to approve Metamask transactions
Companies rarely (if ever) ask you to do anything with your account or funds and they’ll probably never message you on social media or Telegram
Just don’t click on links from emails at all and you’ll probably get along just fine online
Check the contract address that Metamask shows you with the legit contract address shown on Etherscan and make sure they are the same
You could have went on a scam page or get a prompt that looks nearly identical to the real contract to interact with, but double check and see
This article is an oldie but a good resource for some common attacks on MM
If Metamask tells you, “Signing this message can be dangerous” then double check the contract address with the legit one on Etherscan, the website address to see if it looks fake and be very careful!
See this reference for more details
If you’ve already given approval for the dApp and it’s asking for the same approval again, recheck the contract address to make sure you’re talking to the legit dApp BEFORE you accept the approval request
If there’s a red notification, broken lock or otherwise warning on your browser when you visit a website (frontend) that hosts a dApp or any application related to crypto
Use TokenSniffer
You can use an online security service to check a contract and see if it passes “the smell test” for security issues or obvious scam code
https://tokensniffer.com
https://tokensniffer.com/tokens/scam
Use a hardware wallet like Ledger or Trezor
If nothing else, the side benefit you give yourself is that you need to go find it and plug it in before you can make transactions (don’t misuse it and leave it always plugged in!) and that may psychologically increase the barrier of entry to falling for scams and cause you to think twice before approving transactions
Make sure you’re running the legit version of Metamask
Only download and install MM from the official Chrome or Firefox extension and add-on website and never from a developer website, github, etc
See this article for how to compare the real vs fake MM versions
Chrome -> nkbihfbeogaeaoehlefnkodbefgpgknn
Firefox -> ether-metamask
Same advice goes for your mobile app… you know what, just don’t do crypto on your phone if you don’t have to (really)
Read the whitepaper (if it has one) and the code (if you can)
If it doesn’t have one and you haven’t verified the code yourself, be careful
If the contract lets you mint your own coins, take a look at the function that you run to mint your coins and see if it looks like it’s doing anything tricky
A lot of mint functions simply check if your address is eligible to mint coins, if it already has or not, based of criteria X or Y and then mints your coins which appear in your wallet afterwards (might have to add the token to your MM before you see them though)
Look for crazy promises of yield by giving your keys to third parties
Check how much liquidity there is and if it is locked
You can go to Etherscan’s token tracker page for a coin -> Holders and look for the contract symbol and “Uniswap V3: PAIR-PAIR” to check liquidity
If the liquidity isn’t locked, it’s not an instant red flag, but it can be more reassuring when it is
See this article for more info
“What does locked LP tokens really mean? It means that the tokens are stored in a lock (for example DXlock, Unicrypt and many more) which is a smart contract that doesn’t let you withdraw the LP tokens after a certain timeframe decided by the token founder the time the LP tokens are getting locked in it. You can lock LP tokens for any time between a day and 900+ years.”
Don’t just blindly follow tutorials on the internet
As the Front Runner bot scam video we discussed looked very professionally done and easy to follow, along with tons of likes and comments (they probably deleted a lot of the negative ones of people trying to warn you), anything that asks you to send an Ethereum address coins “to make profit” is 99.9% of the time a scam
Keep your browser up to date
Might be the most important thing, boring compared to everything else it has but seriously high ROI since when you get successfully attacked, its often because you clicked through a bunch of prompts and ignored the phishy warning signs or were running an old browser with plenty of exploitable vulnerabilities in it
Think you might have interacted with badness?
Use revoke.cash to remove any allowances for the dApp and see the free claim security guide for more info
A Long Conclusion
Try and not yell so loudly at new projects on twitter about proving they aren’t a scam upfront. Sure, constructive criticism is healthy, but doing your own research, following those who know more of the technical side and have looked at the contract, while still maintaining a skeptical, protecting-your-keys yet optimistic view of free claims and new tokens in crypto will go a long way. There are projects, especially in the RH ecosystem, that really seem to want to give back and provide value as much as they can on their way to making their product come to life. Don’t be naive, but always be thankful for free money and the hard work from others that made it possible for you to have.
You don’t have to use their dApp to free claim or interact with the project’s contract. We covered going over contract’s code and how to manually free claim coins via Etherscan on the channel here.
We didn’t really touch on bugs in smart contracts themselves or any of the tools, such as teEther that have been written to demonstrate how exploits can be automatically generated for certain kinds of bugs. These bugs are usually not intentional (that’d be sneaky) and take the devs of the project themselves by surprise, especially when people audit them after they are released and find ways to exploit them. This is why audits BEFORE launch are so important: it gives the devs time to review and fix any bugs found and can save everybody literally a bunch of money down the road when somebody inevitably takes a closer look at the code. You don’t want that to be the first time a fresh set of eyes looked at it and helped you fix the bugs.
As far as keeping yourself safe, it’s just a really hard problem for tech companies in particular to solve: how can we tell a legit email from a scam, good data from bad, a harmful link from a link that the user needs to click on to get their work done? They’ve tried to use reputation systems, whitelisting/blacklisting, machine learning and so on, but there’s an infinite number of patterns out there and we’re almost just one clever trick removed from bypassing yet another filter trying to let legitimate messages through to us and keep malicious ones away. Being your own bank means taking care of your own security!
