# Smart contract honeypot analysis ## What is a honeypot? :honey\_pot: Losing money is very easy; just buy a honeypot token 🍯 {% hint style="info" %} Honeypot is a type of crypto scam where a scammer deploys a token on a blockchain with malicious code within the smart contract of a token. The malicious part of the code prevents you from selling the token. {% endhint %} Here is how to lose money in 5 simple steps (don't follow it): 1. You see a cool meme coin and buy it on Uniswap with $100 worth of ethereum. 2. The next day, you watch the price go up, and you are happy—your initial buy of the tokens is now worth $300. Hooray! 3. You decide to cash out the $300 worth of tokens for a good 3X on your initial investment. 4. You go to a Uniswap DEX and click “swap” to convert the tokens back to WETH (sell). 5. Unable to swap, the sell transaction reverted... you are now stuck with the tokens. 😔😔 What happened here is that you bought a honeypot token, but you cannot sell it. Eventually, the tokens will become worthless. You can also try to transfer the tokens to another one of your wallets, but you will see that in most cases, even if that fails. Usually, we use external tools to detect if a token is a honeypot ([GoPlus](https://gopluslabs.io/token-security), [Honeypot.is](https://honeypot.is/), [QuillCheck](https://check.quillai.network/),...). These tools simulate buying and selling the token, so if you can sell the token in simulation, then technically, it is not a honeypot. But scammers are getting creative, and sometimes, even online honeypot checking tools have a hard time detecting if a token is a honeypot. ## Buying and selling tokens 💸 Each token on ERC20 chains (Ethereum, Base, BSC, ...) is a piece of code in the Solidity programming language that determines its functionality (the piece of code is called a smart contract). A smart contract with a honeypot code allows you to buy the token and later prevents you from selling it. While you can’t sell the tokens, the scammer can. That’s why we need to inspect the selling functionality part of the code. Buying and selling were performed within the `_transfer(from, to, value)` function in the honeypot smart contracts we analyzed. For example, first look at the normal `_transfer()` function that looks something like this:

This function does not have any suspicious lines of code. There are some basic checks for the code to execute the transfer. The balances of the sender (from) and receiver (to) are affected, which is normal behavior when buying or selling tokens. (Keep in mind that in this case the `_transferAllowed` function does not have malicious code in it, but potentially, some scammers might change the code for a new token they deploy). The following examples are just one of many honeypot types. If you know some Solidity programming language and look at the code by clicking the token link, you will see that some are very suspicious-looking. Sometimes, you just have to ask yourself, “Why is this piece of code here? Does it make sense for a regular ERC20 token?” In all the cases we investigated, the token smart contract performed calls to external smart contracts. In each case, the scammer tried to obfuscate the address of an externally called smart contract. The external smart contract determines who can sell the token, and once you buy the token, automatized bot from scammers blacklists you. Most common way of scammers performing a honeypot scam: 1. Scammers somehow obfuscate external contract addresses in the smart contract when deploying it. 2. You buy the token. When the token contract performs checks, the external hidden contract is called, allowing you to buy it. Your buy transaction is recorded on the blockchain. 3. The scammer bot detects that you have made a buy transaction of their token. And within the next few blocks, it blacklists you on the external token contract. That is also how they avoid being detected by the automatic honeypot simulator tools. When you are simulating the transactions, you don't consider if anyone is making a transaction on some other external smart contracts that might affect the original token smart contract. 4. Now, when you try to sell, during the checks in the token smart contract, the external smart contract is called, and it reverses your sell transaction. ## Example: \_msgData() Token: [$BAR](https://basescan.org/address/0xf2C6cC38727d013C2342AAB68Dcc7baBA0CDa971#code) As we said, the sell function is affected when the honeypot code is in the smart contract. The `_transfer` function is used to buy and sell the token. If we inspect the code of this token, it would seem normal in general. But there are two red flags. 1. `require(IERC20(_msgData()).transferFrom(from, to, value))` in the `_transfer` function, which is an external call to another smart contract. 2. Weird assembly code with a big number in `_msgData()` function This is where the honeypot happens. The scammer is trying to mask the external contract address using the `_msgData()` and some big numbers that are present in the `_msgData()` function:

Example from 0xf2C6cC38727d013C2342AAB68Dcc7baBA0CDa971 (Base)

Here the `transferFrom(from, to, value)` call on the external contract prevents you from selling the token because this piece of code does not pass the “require” check. In the external contracts. And here is the obfuscated external smart contract address:

If you convert the big number `101355749273665307024799333139364640399729048302` to hexadecimal, you get the address of the smart contract that is being called [0x11c0F2f0BC83aF3e70B601b522d9214571073aEE](https://basescan.org/address/0x11c0F2f0BC83aF3e70B601b522d9214571073aEE). On the external contract, you can see that somebody is performing unknown transactions. These are the transactions that blacklist you. ## Example: misspelled words Token: [$RACE](https://basescan.org/address/0x5f5ecdfe8335f34ee1705614b6567765b2e4c517#code) This example performs similarly to the previous example. The core is the same “Calling an external smart contract to see if you are blacklisted for selling the token.” But this time, the scammers are more sneaky; they try to blend in their malicious code so that inexperienced eyes can miss it. Here we again have the `_transfer` function:

Example from 0x5f5eCdfE8335F34Ee1705614b6567765B2E4c517 (Base)

This time, the function looks normal on the first look, with no external calls. But in fact, you can see that there is a weird misspelled function called `decreasAlllowance(sender, recipient)`. Even if it is spelled correctly, it looks suspicious, but it's okay. Now, if we check the called function `decreasAllowance`:

The IERC20 interface is modified so that the `all0wance(owner, spender)` function is inserted. Which is also misspelled; it has replaced the letter “o” with the number zero “0”. Again, this function performs a call to an external contract. The variable `__decimals` carries a hidden external smart contract address that is set in the contract creation. I don't know if you have spotted it, but these `__decimals` have one more underline than the ERC20 standard `_decimals`. Big red flags. ## Example: logging function Token: [$HITMAN](https://basescan.org/address/0x6f0083e2fb1224545836c097b4f736ec0bd68c08#code) This token has a bit more complex `_transfer` function. And it looks pretty normal if you quickly look at it (despite having some functions renamed and some additional checks for swapping)

Example from 0x6f0083E2Fb1224545836C097B4F736Ec0Bd68C08 (Base)

The scam here happens in the `log(from, to, amount)`. Again, an external call on `save(from, to, amount)`. That checks if you are blacklisted. The log function comes with a complementary `logger()` function that again obfuscates an external smart contract address with a big number.

Scammers are sneaky. ## How not to lose money (at least not by buying honeypots): * Check the token's security metrics on Blokiment's token's detail view.

* Before buying a token, manually check its smart contract code. If it contains code that does not make sense, has misspelled functions, or clearly makes an external call, run away. * Use external tools to detect if a token is a honeypot ([GoPlus](https://gopluslabs.io/token-security), [Honeypot.is](https://honeypot.is/), [QuillCheck](https://check.quillai.network/),...). * Check the token socials for any comments from other buyers. * **Choose tokens with audited smart contracts**: Go for tokens whose smart contracts have passed checks by well-known third-party companies. These firms are pros at examining a contract’s safety and how it works, spotting hidden flaws or harmful code. * Try to make a buy and sell with a small amount of money before investing bigger amounts. * Check our [Crypto Security Tips](https://docs.blokiments.com/start-here/crypto-security-tips). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.blokiments.com/guides/blog/security/smart-contract-honeypot-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.