Smart contract honeypot analysis
Do you want to spot a honeypot in a Solidity contract code? Here, we describe some of the common types of honeypots that appeared on the Base network in July and August 2024.
What is a honeypot? π―
Losing money is very easy; just buy a honeypot token π―
Honeypot is a type of crypto scam where a scammer deploys a token on a blockchain with malicious code within the smart contract of a token. The malicious part of the code prevents you from selling the token.
Here is how to lose money in 5 simple steps (don't follow it):
You see a cool meme coin and buy it on Uniswap with $100 worth of ethereum.
The next day, you watch the price go up, and you are happyβyour initial buy of the tokens is now worth $300. Hooray!
You decide to cash out the $300 worth of tokens for a good 3X on your initial investment.
You go to a Uniswap DEX and click βswapβ to convert the tokens back to WETH (sell).
Unable to swap, the sell transaction reverted... you are now stuck with the tokens. ππ
What happened here is that you bought a honeypot token, but you cannot sell it. Eventually, the tokens will become worthless. You can also try to transfer the tokens to another one of your wallets, but you will see that in most cases, even if that fails.
Usually, we use external tools to detect if a token is a honeypot (GoPlus, Honeypot.is, QuillCheck,...). These tools simulate buying and selling the token, so if you can sell the token in simulation, then technically, it is not a honeypot. But scammers are getting creative, and sometimes, even online honeypot checking tools have a hard time detecting if a token is a honeypot.
Buying and selling tokens πΈ
Each token on ERC20 chains (Ethereum, Base, BSC, ...) is a piece of code in the Solidity programming language that determines its functionality (the piece of code is called a smart contract). A smart contract with a honeypot code allows you to buy the token and later prevents you from selling it. While you canβt sell the tokens, the scammer can.
Thatβs why we need to inspect the selling functionality part of the code. Buying and selling were performed within the _transfer(from, to, value) function in the honeypot smart contracts we analyzed.
For example, first look at the normal _transfer() function that looks something like this:
This function does not have any suspicious lines of code. There are some basic checks for the code to execute the transfer. The balances of the sender (from) and receiver (to) are affected, which is normal behavior when buying or selling tokens. (Keep in mind that in this case the _transferAllowed function does not have malicious code in it, but potentially, some scammers might change the code for a new token they deploy).
The following examples are just one of many honeypot types. If you know some Solidity programming language and look at the code by clicking the token link, you will see that some are very suspicious-looking. Sometimes, you just have to ask yourself, βWhy is this piece of code here? Does it make sense for a regular ERC20 token?β
In all the cases we investigated, the token smart contract performed calls to external smart contracts. In each case, the scammer tried to obfuscate the address of an externally called smart contract. The external smart contract determines who can sell the token, and once you buy the token, automatized bot from scammers blacklists you.
Most common way of scammers performing a honeypot scam:
Scammers somehow obfuscate external contract addresses in the smart contract when deploying it.
You buy the token. When the token contract performs checks, the external hidden contract is called, allowing you to buy it. Your buy transaction is recorded on the blockchain.
The scammer bot detects that you have made a buy transaction of their token. And within the next few blocks, it blacklists you on the external token contract. That is also how they avoid being detected by the automatic honeypot simulator tools. When you are simulating the transactions, you don't consider if anyone is making a transaction on some other external smart contracts that might affect the original token smart contract.
Now, when you try to sell, during the checks in the token smart contract, the external smart contract is called, and it reverses your sell transaction.
Example: _msgData()
Token: $BAR
As we said, the sell function is affected when the honeypot code is in the smart contract. The _transfer function is used to buy and sell the token.
If we inspect the code of this token, it would seem normal in general. But there are two red flags.
require(IERC20(_msgData()).transferFrom(from, to, value))in the_transferfunction, which is an external call to another smart contract.Weird assembly code with a big number in
_msgData()function
This is where the honeypot happens. The scammer is trying to mask the external contract address using the _msgData() and some big numbers that are present in the _msgData() function:
Here the transferFrom(from, to, value) call on the external contract prevents you from selling the token because this piece of code does not pass the βrequireβ check. In the external contracts.
And here is the obfuscated external smart contract address:
If you convert the big number 101355749273665307024799333139364640399729048302 to hexadecimal, you get the address of the smart contract that is being called 0x11c0F2f0BC83aF3e70B601b522d9214571073aEE. On the external contract, you can see that somebody is performing unknown transactions. These are the transactions that blacklist you.
Example: misspelled words
Token: $RACE
This example performs similarly to the previous example. The core is the same βCalling an external smart contract to see if you are blacklisted for selling the token.β
But this time, the scammers are more sneaky; they try to blend in their malicious code so that inexperienced eyes can miss it.
Here we again have the _transfer function:
This time, the function looks normal on the first look, with no external calls. But in fact, you can see that there is a weird misspelled function called decreasAlllowance(sender, recipient). Even if it is spelled correctly, it looks suspicious, but it's okay.
Now, if we check the called function decreasAllowance:
The IERC20 interface is modified so that the all0wance(owner, spender) function is inserted. Which is also misspelled; it has replaced the letter βoβ with the number zero β0β. Again, this function performs a call to an external contract.
The variable __decimals carries a hidden external smart contract address that is set in the contract creation. I don't know if you have spotted it, but these __decimals have one more underline than the ERC20 standard _decimals. Big red flags.
Example: logging function
Token: $HITMAN
This token has a bit more complex _transfer function. And it looks pretty normal if you quickly look at it (despite having some functions renamed and some additional checks for swapping)
The scam here happens in the log(from, to, amount). Again, an external call on save(from, to, amount). That checks if you are blacklisted. The log function comes with a complementary logger() function that again obfuscates an external smart contract address with a big number.
Scammers are sneaky.
How not to lose money (at least not by buying honeypots):
Check the token's security metrics on Blokiment's token's detail view.
Before buying a token, manually check its smart contract code. If it contains code that does not make sense, has misspelled functions, or clearly makes an external call, run away.
Use external tools to detect if a token is a honeypot (GoPlus, Honeypot.is, QuillCheck,...).
Check the token socials for any comments from other buyers.
Choose tokens with audited smart contracts: Go for tokens whose smart contracts have passed checks by well-known third-party companies. These firms are pros at examining a contractβs safety and how it works, spotting hidden flaws or harmful code.
Try to make a buy and sell with a small amount of money before investing bigger amounts.
Check our Crypto Security Tips.
Last updated
