ARTICLE AD
A report published on January 11 details the most common honeypot schemes in DeFi and how to identify them through block explorers.
Blockchain security firm CertiK listed three common ‘honeypot’ schemes created by exploiters to steal users’ crypto in decentralized finance (DeFi) in a report titled ‘Honeypot Scams’ published on January 11.
Honeypots are deceptive schemes targeting crypto investors and often lure victims with the promise of lucrative returns, only to trap their funds through different mechanisms. The alluring price charts with continuous green candles influence investors’ fear of missing out (FOMO), leading to impulsive buying. Once bought, these tokens become illiquid due to specific mechanisms preventing their sale.
The first mechanism is labeled by CertiK as ‘The Blacklist’, and its execution consists of preventing users from selling scam tokens through a lock inserted into the smart contract. The report gives an example by mentioning the ‘_snapshot list’ and ‘_snapshotApplied’ functions, which let users move tokens. Both of them must be set as ‘True’ in the smart contract, otherwise, the user will be blocked from transferring funds, acting as a ‘blacklist’.
Example of a ‘blacklist’ piece of code inserted into a smart contract. Image: CertiKAlthough the blacklist command could be seen via a smart contract check, CertiK highlights that some blacklists are cleverly concealed within seemingly legitimate functions, trapping unwary investors.
‘Balance Change’ is another common honeypot mechanism applied by scammers. This technique involves altering a user’s token balance to a nominal amount set by the scammer and it is only readable by the smart contract.
This means that block explorers like Etherscan won’t update the balance, and the user won’t be able to see that the token amount was reduced by a significant amount, usually just one token.
Example of a ‘balance change’ piece of code inserted into a smart contract. Image: CertiKThe last common tactic used by exploiters on DeFi projects’ smart contracts is the ‘Minimum Sell Amount’. Although the contract allows users to sell their tokens, they can only do so when selling above an unattainable threshold, effectively locking up their funds.
In this case, the user wouldn’t be able to sell even if the wallet has more tokens than the threshold set. This is because of the function ‘infosum’ used in this technique, which is considered on top of the amount set to be sold.
As an example, if a user buys 35,000 tokens from a project in which the smart contracts set the selling threshold to 34,000 using the ‘infosum’ function, the operation wouldn’t succeed. That’s because the user would have to sell 35,000 tokens plus the 34,000 set. In other words, the 34,000 extra tokens requirement could never be met.
Example of a ‘Minimum Sell Amount’ piece of code inserted into a smart contract. Image: CertiKThe impact of honeypots
On top of the technical side of honeypot scams, exploiters also add a social layer to the scheme, mimicking reputable crypto projects to deceive investors. Moreover, bad actors devised a way to automate the creation of honeypots. CertiK’s report mentions a wallet responsible for creating scam contracts every 30 minutes over two months. In total, 979 contracts connected to this service were identified.
If an average of $60 was stolen, which is a fairly small amount compared to larger scams on DeFi, approximately $59,000 would be taken from users over two months. According to CertiK, this turns “vigilance and education” into an urgent matter in DeFi.
The information on or accessed through this website is obtained from independent sources we believe to be accurate and reliable, but Decentral Media, Inc. makes no representation or warranty as to the timeliness, completeness, or accuracy of any information on or accessed through this website. Decentral Media, Inc. is not an investment advisor. We do not give personalized investment advice or other financial advice. The information on this website is subject to change without notice. Some or all of the information on this website may become outdated, or it may be or become incomplete or inaccurate. We may, but are not obligated to, update any outdated, incomplete, or inaccurate information.
You should never make an investment decision on an ICO, IEO, or other investment based on the information on this website, and you should never interpret or otherwise rely on any of the information on this website as investment advice. We strongly recommend that you consult a licensed investment advisor or other qualified financial professional if you are seeking investment advice on an ICO, IEO, or other investment. We do not accept compensation in any form for analyzing or reporting on any ICO, IEO, cryptocurrency, currency, tokenized sales, securities, or commodities.