Lotus Market's review of scam functions in the Defi market. Part 1.
With the growing popularity of smart contracts and decentralized financial platforms DeFi, the blockchain sphere is becoming increasingly susceptible to scam schemes. Scam functions in smart contracts can take many forms, from false promises of high returns to hidden withdrawal mechanisms.
In this article, we will look at the main functions that are used to manage smart contracts, such as:
Let's analyze in detail the main dangers that users may face when interacting with a smart contract.
The Blacklist functions in smart contracts is a mechanism that allows contract administrators to add addresses to a blacklist. A smart contract owner can add addresses to a blacklist, disabling them from performing certain actions, such as preventing them from selling tokens or calling certain functions of the contract.
The dangers of smart contracts with BlackList functions:
Smart contracts that include Blacklist functions carry certain risks and problems for both the project and its users. Here are some of the dangers associated with blacklist functions:
- Centralized Control: Blacklist functions often provide centralized control to the contract owner or administrators.
- Blacklist Abuse for Unfair Practices: Abusers (including the contract owner), may use the blacklist to target specific addresses. This may include freezing or restricting the functionality of accounts without good reason.
- Lack of transparency: The existence of blacklisting functions, especially if they are not documented, can lead to a lack of transparency. Users may not be aware of the blacklisting criteria or the blacklisting procedure.
- Security Risks: If BlackList is not implemented securely, there is a risk of vulnerabilities that could allow unauthorized persons to manipulate the blacklist, which could lead to unauthorized freezing or transfer of funds.
- User distrust: The existence of blacklist functions can undermine user trust as their assets can be blacklisted without clear rules.
- Token confiscation: Attackers can use a blacklist to confiscate tokens or assets from certain addresses without proper justification. This can result in significant financial losses.
This function is a mechanism that allows a smart contract to be accessed through another smart contract, called a "proxy contract". This enhances the ability to manage the contract and update its logic without having to change addresses or update the contract itself. The use of proxies carries certain risks.
Fraudsters often use schemes in proxy smart contracts to defraud users. In order to identify such threats, you need to understand the possible risks and be technically savvy.
The dangers of proxy smart contracts:
- Unauthorized Updates: Proxy contracts allow the owner to update the underlying contract. However, if this mechanism is not implemented securely, it can lead to unauthorized updates, allowing attackers to inject malicious code into the contract.
- Invalidated external calls: Rogue programmers can use external calls to untrusted contracts without proper validation. This can lead to vulnerabilities, including reentrancy attacks, where malicious contracts repeatedly invoke a proxy contract, potentially depleting its funds.
- Lack of transparency: The source code of the management contract is typically not verified.
- Fake projects: Fraudsters create fake projects promising attractive features such as high returns or unique functionality. They may use proxy contracts to create the appearance of legitimacy while hiding malicious intent.
- Ponzi schemes: Scammers build Ponzi schemes based on proxy contracts, luring users with promises of high returns. Such schemes may have updatable components to maintain the illusion of plausibility.
- Cloned contracts: Scammers clone legitimate projects and introduce vulnerabilities or changes to the cloned contract. Unsuspecting users can interact with such clones, mistaking them for the original.
This feature is a mechanism that allows contract owners to temporarily suspend (turn off) and resume (turn on) certain functions or features of the contract (such as trading, token transfers, etc.). This can be used to manage the state of the contract in certain situations or in response to changing market conditions, but this tool in the hands of fraudsters can pose a real threat to investors.
The dangers of smart contracts with Pause functions:
- Unauthorized Pause: Fraudsters can gain control of the Pause functions and stop the contract without proper authorization, which can cause business disruption or financial loss.
- Deceptive Delays: Malicious contracts can suspend critical transactions, such as withdrawals or transfers, under the guise of temporary maintenance or security measures, while intending to deny users access to their assets.
- False claims of emergencies: Fraudsters may falsely claim emergencies or vulnerabilities to justify a contract pause and then exploit user funds during the pause.
- Security Pretext: Malicious contracts may claim that a security vulnerability has been discovered, causing the suspend function to be activated. In reality, fraudsters may intend to take advantage of the situation.
- Emergency Schemes: Fraudsters may use fear-inducing language or scenarios, such as claiming a "burglary attempt" or "emergency" to justify a pause during which they may commit illegal acts.
This function is used to impose limits on token sales to prevent mass withdrawals or manipulation known as "waves" - large volumes of transactions from individual participants that can affect token price and market liquidity. Limits can be set on the number of tokens in a single transaction or on the total number of tokens that can be sold in a given period of time.
The main purpose of the AntiWhale mechanism is to reduce the impact of large transactions from a single address or a small group of addresses, often referred to as "whales". It aims to prevent excessive concentration of tokens in the same hands and to combat possible manipulation or destabilization of the market.
AntiWhale mechanisms typically set limits on the size or value of individual transactions. Transactions exceeding a set threshold result in the imposition of restrictions such as transaction rejection, high fees, or other redistribution mechanisms.
Potential risks for token holders:
- Setting AntiWhale limits that are too strict can be a problem for users who have a need for large transactions.
- Over-reliance on the AntiWhale mechanism may inadvertently promote centralization if it is implemented without considering the broader ecosystem.
The Cooldown mechanism is designed to impose time limits between consecutive transactions from the same address. Its purpose is to regulate the frequency of transactions and prevent excessive buying or selling activity within short time intervals.
Cooldowns set waiting periods between transactions, often based on the time elapsed since the last transaction from a particular address. Users must wait for the cooldown period to expire before starting a new transaction.
Utilization of the Cooldown mechanism:
Fraudsters can use the Cooldown mechanism to defraud users by coming up with strategies that exploit the limitations. Let's take a look at the main risks that CoolDown poses to investors.
- Impact on liquidity: CoolDown may affect liquidity on decentralized exchanges by reducing the frequency of transactions. This could lead to an increase in bid-ask spreads and potentially affect the overall state of trading.
- Unintended Consequences: To avoid unintended consequences, CoolDown limits should be carefully calibrated. For example, constraints that are too short may ineffectively prevent manipulation, and constraints that are too long may prevent legitimate trading activity.
- ICO or token sale periods: During initial token offerings (ICOs) or token sale periods, restrictions may be imposed to prevent large participants from making multiple consecutive transactions.
- Whitelists or access levels: CoolDown can be used in conjunction with WhiteList addresses or tiered entitlement systems. For example, higher level users may have shorter waiting periods than all others.
Main differences between the functions AntiWhale and CoolDown
|AntiWhale: Primarily affects users with high transaction volumes.
|Cooldown: Applies to all users, regardless of transaction size.
|Parameters: Market dynamics
|AntiWhale: Focused on solving concentration problems.
|Cooldown: Aimed at regulating the frequency of transactions.
|Parameters: Project Objectives
|AntiWhale: The goal is to distribute tokens and ensure the stability of the market.
|Cooldown: Primarily aimed at ensuring market stability and preventing rapid trading.
Remember that scammers are constantly improving their tactics, so it is important to be informed and exercise caution - these are essential strategies to protect your token investment. If you encounter something suspicious or have any doubts, do not hesitate to contact us for help or consult with experts in the field.
The mint functions are typically used to create additional tokens in the system. This means that contract holders can "print" (or "mint") new tokens, increasing the total number of tokens in circulation. Thereby creating inflation and devaluing the token holders' assets. This function is often used in tokens created under the ERC-20 standard or other similar standards.
The dangers of smart contracts with minting functions
- Unauthorized mining: Scammers can create an unlimited number of tokens, diluting the value of existing tokens and causing inflation.
- Manipulating the supply: Fraudsters can manipulate the supply of tokens to deceive investors or give the impression that a project is more valuable than it actually is.
- False scarcity: Such projects may promise scarcity, but after the initial public offering use minting, diluting the value of the tokens and defrauding investors who were attracted by the scarcity.
- Inflationary rewards: Projects may claim to offer staking or dividend farming rewards, but mint additional tokens as "rewards," devaluing participants' holdings.
- Sudden Minting: Fraudsters can suddenly issue tokens without proper disclosure or governance, causing panic and loss of value for token holders.
This mechanism is used to control the ability to trade tokens. When this function is activated, users are able to buy and sell tokens on the market. If the function is disabled, the ability to trade is limited. Often, this mechanism is used to combat sniper bots, which is well deserved. However, scammers can also use the Enable Trading mechanism to manipulate commissions (Fee) and automatically block users (Blacklist).
The dangers of smart contracts with EnableTrading functions:
- Unauthorized Trade Activation: Fraudsters can manipulate the EnableTrading functions to allow trading or transfers (Transfer) without proper authorization. This can result in unauthorized trades or fraudulent transfers.
- False Activation Claims: Malicious contracts may falsely claim that certain conditions are met to activate a trade. In reality, the conditions may not be met, resulting in fraudulent trades or transfers.
- Delayed Activation: Malicious contracts may allow trading to be activated but with significant delays, leading users to believe that the trading function is temporarily disabled.
The use of Transfer Limitis allows setting limits on the trade/transfer of tokens (tranfer) at the discretion of the contract owners. Scammers can use this mechanism for a scenario where a user can buy an unlimited number of tokens, but can sell only a small part of them (and not always and with time delays). Therefore, it is very important to understand the structure of Transfer Limits on a case-by-case basis.
The dangers of smart contracts with TrasferLimits functions:
- Smart contracts with transfer limits often impose restrictions on the number of tokens that can be transferred within a certain time or under certain conditions. While these functions may serve legitimate purposes, such as preventing large-scale token dumping or controlling the rate of transfer, they also carry potential risks.
- The main danger of such a scheme is that investors are attracted to buy tokens, but the sale may be significantly limited either by the number of tokens or be extremely unprofitable due to high commissions.
To avoid getting scammed when choosing tokens, stick to the following rules:
- Analyze the code thoroughly.
The first and most important step in identifying threats is a detailed analysis of the smart contract code. It is necessary to scrutinize the code for suspicious, hidden, and potentially dangerous elements. This includes checking the logic of the contract, calculating financial flows, and identifying possible points of vulnerability.
- Explore independent audits
Look for smart contracts that have been independently audited by reputable accounting firms. Professional auditors can identify potential threats and risks.
- Check the documentation
Review the documentation and contract comments for mention of the functions described above. The documentation should provide a clear and detailed description of the functions to be used.
- Check the transparency of the code
Ensure that the smart contract code is open to all users. Developers should provide details about their project, including code, audits, and contact information.
- Follow the feedback in the communities
Check community forums, social media, or official channels for discussions about the presence and use of suspicious functions. Users can provide valuable insights and concerns.
- Monitor project activity
Regularly monitor contract activity on the blockchain. Unusual or unexpected changes in fund transfer patterns or the lifting of restrictions on fund transfers without proper explanation may indicate a potential threat.
- Pay attention to the reputation of the project
Research the reputation of the project and its development team. Projects with a history of transparency, regular communication with the community, and a commitment to security tend to be more trustworthy.
- Stay up to date
Keep up to date with the latest developments in our community (Telegram channel) and best practices for fraud detection (our Blog and YouTube channel).
We have looked at the main functions that are used in smart contracts. Each function is a powerful tool for managing smart contracts, which is why it often involves certain risks for users.
DeFi programming and auditing skills are required to understand the possible vulnerabilities in each specific smart contract. Code study, detailed auditing, detailed parsing of each functions and regular monitoring of fresh fraud schemes will help you understand whether it is worth interacting with a smart contract.
Remember that safety is your priority!
If you have any doubts about the security of a smart contract you can always use our Lotus Market platform.
Lotus Market is a team of experienced developers and professional auditors at DeFi.
Sign up for a premium subscription and get access to exclusive filters on smart contract functions and fresh analytics. Increase your chances of successfully investing in profitable tokens!All posts