Analise smart-contract
12.04.2024

Proxy detector description

We continue the series of articles devoted to describing fraudulent schemes in smart contracts. Today we will talk about smart contracts with proxy control (Proxy) feature.

Proxy smart contracts have gained popularity in the blockchain space due to their modernizability and flexibility. However, such contracts also carry great danger, especially when used by malicious users. Fraudsters often use deceptive schemes in proxy smart contracts to defraud users. To identify such threats, you need to understand the possible risks and be technically savvy.

Let's take a closer look at a description of the potential dangers, common deception schemes, and how to identify such threats in proxy smart contracts.

The dangers of proxy smart contracts:

  1. Unauthorized Update:
    Proxy contracts allow the owner to update the underlying contract. However, if this mechanism is not implemented securely, it can lead to unauthorized updates, allowing attackers to inject malicious code into the contract.

  2. Unchecked external calls:
    Rogue programmers can use external calls to untrusted contracts without proper verification. This can lead to vulnerabilities, including reentrancy attacks, where malicious contracts repeatedly call a proxy contract, which can deplete its funds.

  3. Lack of transparency:
    The source code of the management contract is usually not verified.

  4. Fake projects:
    Fraudsters create fake projects that promise attractive features such as high returns or unique functionality. They may use proxy contracts to create the appearance of legitimacy while hiding malicious intent.

  5. Ponzi schemes:
    Scammers build Ponzi schemes based on proxy contracts, luring users with promises of high returns. Such schemes may have updatable components to maintain the illusion of plausibility.

  6. Cloned contracts:
    Fraudsters clone legitimate projects and introduce vulnerabilities or changes to the cloned contract. Unsuspecting users can interact with such clones, mistaking them for the original.

How can you independently determine if such threats are present in smart contracts?

It is worth noting that if the target code of a smart contract contains a reference to an external contract (Proxy), then in almost 100% of cases this Proxy contract will be with hidden source code. In this case, the external control contract can perform absolutely any actions with the target contract (for example: changing user balances, enabling and disabling trading, starting emission, etc.).

Therefore, it is worth understanding that working with a Proxy smart contract is a game of roulette in the truest sense of the word (the casino always wins).

Finding Proxy invocations in a smart contract is easy enough. And, as we said earlier, the implementation of malicious functions is in the control contract - with the target smart contract appearing "white and fluffy" (i.e., it is generally free of any methods that might raise suspicion).

If you want to determine for yourself whether Proxy features are present in smart contracts, the following tips will be helpful.

  • Conduct a contract audit: Before working with any smart contract, review its source code and functionality. Pay attention to the existence of well-documented update processes, access control mechanisms, and project transparency.

  • Ensure that the smart contract has undergone an external security audit by reputable companies. The audit report can provide insight into potential vulnerabilities.

  • Research the project development team. Transparent and trustworthy teams are less likely to engage in fraud.

  • Consult the project's community and get feedback from other users who have experience with the contract. Scammers often avoid public discussion.

  • When working with contracts, use well-known wallet programs and tools that provide additional security and transaction protection features.

  • Be careful when dealing with new and unproven contracts, especially those that promise high returns or exhibit unusual behavior.

  • If something in the contract seems too good to be true or is suspicious, trust your intuition and avoid it.

  • Keep up to date with the latest developments in our community (Telegram channel) and best practices for fraud detection (our Blog and YouTube channel).

 

Lotus Market's security scanner finds all common (including hidden) external control (Proxy) features. Use our premium subscription and protect your funds from threats.

 

 

The following are examples of common red flags and suspicious patterns that you should look for when examining smart contracts to identify potentially malicious functionality. It's important to understand these signs to protect yourself and others from potential fraud. Let's look at some code pattern variations and tips to help you identify suspicious functionality in a smart contract:

 

The main rule is that if a contract code contains a call of Call, CallCode or DelegateCall functions, it means that the contract calls to external code and passes control of its data to it.

tips around proxy

Let's take a look at the main examples of using Proxy contracts.

1. Uninitialized storage variables.

One of the most common vulnerabilities in proxy contracts is the misuse of storage variables. When a proxy contract is used with DelegateCall to call functions on an implementation contract, the proxy contract's storage variables are modified. However, if the proxy contract storage has uninitialized values or default values, this can lead to unexpected behavior.


    contract Implementation {
        address public owner;

        constructor() {
            owner = msg.sender;
        }
    }

In this example, if the owner variable in the Proxy contract is uninitialized, calling owner() on the proxy contract will return the owner variable of the implementation contract, which may not be what the user expects.

2. Unverified external calls.

Fraudulent contracts can use external calls to untrusted contracts without proper checks. If a proxy contract directly or indirectly invokes a malicious contract via DelegateCall, the malicious contract can perform arbitrary actions, including reentrancy attacks, without proper safeguards.


    contract Proxy {
        function execute(address target, bytes memory data) external {
            target.delegatecall(data);
        }
    }

If a user sends an arbitrary contract and malicious data as a target address, it may result in unauthorized actions being performed on behalf of the user.

3. Improper access control.

Fraudulent contracts may have inappropriate access controls, allowing unauthorized users to perform administrative functions. When using a proxy contract, it should be carefully controlled who has permission to update the implementation contract. Failure to do so may result in unauthorized changes to the behavior of the contract.


    contract Proxy {
        address public owner;
        address public implementation;
                                        
        function upgrade(address newImplementation) external {
            require(msg.sender == owner, "Only the owner can upgrade.");
            implementation = newImplementation;
        }
    }

In this example, if the owner address is not properly controlled or there are no checks on who can invoke the update function, unauthorized parties can change the implementation to a malicious contract.

4. Versioning and management risks.

Proxy contracts often use versioning and management mechanisms to update the contract logic. If these mechanisms are not implemented securely, they can become vulnerable to attack or manipulation by malicious parties.


    contract Proxy {
        address public owner;
        address public implementation;
        address public pendingImplementation;
            
        function upgrade(address newImplementation) external {
            require(msg.sender == owner, "Only the owner can upgrade.");
            pendingImplementation = newImplementation;
        }
        function claimUpgrade() external {
            require(msg.sender == owner, "Only the owner can claim the upgrade.");
            implementation = pendingImplementation;
        }
    }

In this case, the attacker can offer a new "clean" contract and then immediately make updates, effectively putting their malicious code into operation.

tips around proxy

What should I pay attention to when studying Proxy contracts and what threats do they pose?

  1. Unauthorized transfer of funds:
    One of the most common ways fraudsters steal money is by transferring funds by the contract holder to themselves or another address without authorization.

  2. Hidden "backdoors":
    Fraudsters may hide malicious code behind obfuscated or misleading feature names, making it difficult for users to detect their true intentions. Unclear or misleading function names. Conditional operators granting special privileges to certain addresses.

  3. Fake tokens and exchanges:
    Scammers often create fake tokens or fake exchange platforms to trick users into transferring their assets to a malicious contract. Pay attention to token contracts whose behavior is suspicious, such as minting unlimited tokens or accepting unauthorized transfers.

  4. Unauthorized issuance or ownership transfer functions:
    An external contract can change the token holder or trigger a new issue, causing price inflation.

  5. Misleading documentation or comments inconsistent with code behavior:
    Fraudsters may provide misleading or inaccurate documentation or comments in their code to mislead users about the true functionality of the contract. Always cross-check documentation with actual code behavior.

  6. Lack of safety inspections:
    Beware of contracts that lack proper security checks, access controls, or fail to implement protections against common vulnerabilities such as reentrancy. When considering a smart contract, always scrutinize the code, look for well-documented and transparent designs, check external security audits, and study community feedback. In addition, be cautious when interacting with contracts that exhibit any of these attributes, as they may be designed to steal funds or perform other malicious activities.

  7. Complex conditional expressions:
    Fraudsters may use complex conditional expressions or logic that is difficult to follow, making it difficult to understand the true functionality of the contract. Look for unnecessarily convoluted code: overly complex or unclear logic, and terms and conditions that are irrelevant to the purpose of the contract.

  8. Unclear patterns of management and ownership (Ownership):
    Fraudsters often use proxy contracts with unclear governance mechanisms or hidden ownership structures, making it difficult for users to determine who controls the contract.

  9. Imitation of known projects:
    Scammers often create contracts that mimic the functionality or appearance of known, legitimate projects. Always check the authenticity of the project and make sure it is not a fake. Pay attention to minor differences in names, logos or branding. Projects that claim to be official but lack proper validation.

  10. Hasty or anonymous deployment:
    Fraudsters may deploy contracts hastily, without clear identification and with minimal information about the project or its developers. Pay attention to contracts deployed without due diligence and planning, released by an unknown team.

  11. Lack of public verification or audit:
    If the contract does not offer public source code review or has not undergone a third-party security audit, you should approach it with extreme caution.

  12. Unusual or hidden data storage:
    Fraudsters may use unconventional or stealthy data storage schemes to mask malicious functionality. Note that data may be stored in unexpected places within the contract.

  13. Counterfeit liquidity pools:
    In the case of DeFi projects, be wary of liquidity pools promising high returns. Fraudsters may create fake pools to attract liquidity and then exploit users. Inconsistently high revenues from liquidity provision. Lack of transparency and documentation of the pool's operating mechanism.

tips around proxy

To protect against such vulnerabilities, contracts using proxy templates and DelegateCall should be carefully reviewed and audited, access control mechanisms should be implemented, and external calls should be secured. Users should exercise caution when interacting with contracts, especially those with complex update mechanisms, and should always perform due diligence before interacting with a smart contract on the blockchain.

In the rapidly evolving world of Blockchain, it is imperative to remain vigilant and informed to protect yourself and your assets from potential fraudulent schemes and vulnerabilities related to proxy contracts and DelegateCall features.

 

We hope that this information has helped you to better understand managed (Proxy) smart contract schemes.

 

Since all information in the blockchain is open (provided, of course, that the source code of the contract is verified), armed with this knowledge you can independently study smart contracts and identify various scam schemes.

However, we've already done it all for you! Sign up for a premium subscription and get access to exclusive filters on smart contracts features and fresh analytics. Increase your chances of successfully investing in profitable tokens.

Regards, Lotus Market team.

All posts