Analyzing Backdoors in scam token contracts | QuillAudits

Due to the rapid advancement of blockchain technologies and the digital economic system, cryptocurrencies have experienced substantial growth in recent years.

With the advancement in cryptocurrencies, there has been a rise in frauds and scams. Over the last few years, scams are becoming more prevalent and costly and scammers are constantly evolving their tactics. Only this month, approximately 23 million dollars have been lost due to exit scams and rug pulls.

Table of Contents:
1.
What are the backdoors in Scam Tokens?
2. How do scammers embed backdoors in contracts:
3. Some Real-World Case Studies
4. Safety tips for users/investors
5. References

What are the backdoors in Scam Tokens?

A decentralized exchange does not impose any restrictions on the listing of tokens i.e. anyone may freely list a token and establish a liquidity pool. Scammers can therefore exploit the chance to promote scam tokens in order to scam unsuspecting consumers.

As we all know, Smart contracts are programs stored on a blockchain that run when predetermined conditions are met. Scammers usually modify the smart contract functions to embed malicious code into the contracts. They will usually manipulate the tasks with the money transfer like preventing users from selling, increasing fee amount, etc., which will lock user money into a contract and they will easily run away with users'/investors’ funds.

How do scammers embed backdoors in contracts:

Now let’s see some examples of how hackers are building scam coins to fool you into buying them and then steal all your money. Most of the time these contracts are hidden and unverified so anyone couldn’t read them on-chain. The owner usually controls the most critical function related to money transfers of smart contracts:

1. Setting Maximum Fee on Buy and sell fees:

The scammers or developers of the project have access to set fees and if there is no upper bound set for fees, they can set the maximum fees for selling their token, which may be up to 100%. Imagine you have a token worth $500, and to sell those tokens you need to pay another $500.

Typically, the code doesn’t verify the maximum value while setting fees. Scammers usually lower the charge upon launching, then elevate it once users buy tokens to prevent token sales, and then dumps all the tokens for profit.

2. Blacklisting Users by owner

In this technique, After the investors or users invest in tokens, scammers usually blacklist the token holders to prevent them from further trading tokens. After blacklisting users cannot perform any buying or selling for that tokens. In this way the scammers effectively stoles funds from users.

3. Owner can Burn Tokens from anyone’s EOA

The owner or developer can also embed malicious code in the burn function that can allow the owner to burn tokens from anyone’s EOA. After users and investors purchase the fraudulent token, the owner can quickly burn all of their tokens to pump the token’s price and then simply drains the pool.

4. Owner can mint infinite tokens:

The Mint function is dangerous in ERC20-type tokens. The malicious owner can create infinite tokens and sell the new tokens for 100% of liquidity. Users and investors are thus left with practically worthless tokens.

5. Tokens don’t allow the buyer to resell and only the owner may sell

The Squid coin scam was a popular variation of this fraud recently. People would buy tokens for online games hoping to make some profit. But it was later found that users couldn’t sell their tokens. The Squid token’s value increased from one cent to almost $90 per token.
The token value then decreased to almost zero after the owner drained the pool.

6. Hiding Malicious Code with External Contract

Malicious code may be hidden by scammers in external contracts or libraries in order to mislead victims. Users may create a similar function looking legit which contains malicious code related to funding transfer or locking users’ funds into the contract.

Therefore, it is crucial to study and comprehend the code before making any financial transactions when interacting with smart contracts on the blockchain.

Some Real-World Case Studies :

1. DeFi Safe (dSafe token):

In this case, The owner blacklisted all token holder EOAs and then finally removes liquidity. Let’s analyze it further:
Contract Address: 0x761776f726168c9dF6dC63d5864880801E21F403

The owner controls the addToBlacklist function, which is a rug vector here:

The attacker first called addtoblacklist function and added the token holders to the blacklist. Then the attacker then simply removed the liquidity and gained around $127.5k.

2. Project GDS:

In this case, the owner increases the selling fees to prevent any users from selling the tokens. Let’s analyze it further:|
Contract Address: 0x7f19bF116B0F0a4af7d4464CbF584fE75a243fc9

Here, we can see that owners can set any fee they want, there isn’t any upper limit here:

The attacker called thesetFee function and sets _sellFee to 9900, which prevented users to withdraw their tokens and finally removed liquidity from the pool, and made profit of around $60,000.

3. Brise Token:

In this case, the owner of the contract could burn any user’s token from the wallet. Let's analyze it:
Contract Address: 0xb6c353d519d7721b18c813130625d04de4f53580

After the user bought the tokens, the owner quickly burned all of their tokens to pump the token’s price and then simply drained the pool.

A small challenge:

Spot the rug vector in the given contract and explain how the owner can rug the users. Comment with your answers in the comment section:

Safety tips for Users/Investors:

  1. Never invest in contracts that are not verified or hidden.
  2. Don’t Blindly follow any influencers.
  3. Do your research about the projects, founder, etc., and if you find any red flags, Don’t invest.
  4. Never invest in any project that lacks Security Audit.
  5. Always double-check any news related to tokens. Just by looking closely at it, you can figure out, to some extent, if it’s fake news.

References:

https://research.checkpoint.com
https://arxiv.org/pdf/2109.00229.pdf

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store