Unveiling Honeypot Scams

GoPlus Security
5 min readAug 29, 2023

Dive into token code and safeguard Web3 security

Preface

If you’re a user in decentralized platforms, the concept of a “Honeypot scam” won’t be foreign to you. Even if you haven’t heard this term before, you’ve likely encountered such fraudulent activities.

“Honeypot” is actually an analogy that essentially refers to deliberately luring others into a trap. In the case of Honeypot tokens, various illusions (such as extremely high liquidity and price increases) are created to entice investors to purchase the tokens. However, after they make the purchase, they realize that due to the deployment of malicious code in the contract, they can’t sell these tokens at all. This is the Honeypot scam.

In a bid to exploit their users, Honeypot schemes often continuously update and iterate contract code. They employ increasingly intricate implementation logic to mask their true motives, aiming to either evade the vigilance of security mechanisms or heighten the analytical complexity for security experts.

Characteristics of Honeypot Scam Attacks

Data from GoPlus reveals that the total number of Honeypot tokens in the crypto market saw a substantial increase in 2022, with 64,661 newly introduced Honeypot tokens. This marks an impressive growth of 83.39% compared to the same period in 2021. Among these, 92.8% of Honeypot tokens originated from the BNB Chain, while 6.6% came from Ethereum. These two blockchains also stand out as among the most active and populated networks in terms of tokens.

One of the contributing factors to the steep rise in Honeypot tokens can be attributed to the impact of the FTX incident at the end of 2022. A significant number of users transferred their digital assets from centralized exchanges to decentralized wallets, resulting in a surge of on-chain active users. Consequently, attackers became more active as well. According to data, within just one week of the FTX incident, over 120 new Honeypot attack methods emerged, marking a six-fold increase in attack frequency.

Beyond the absolute increase in numbers, the characteristics of Honeypot tokens have become more diverse and intricate. Analyzing security data from the past year, GoPlus has observed that Honeypot token attacks have evolved to become increasingly difficult to detect and more covert. In general, they exhibit the following key features:

  1. Code Obfuscation: By reducing code readability, introducing irrelevant logic, or confusing invocation relationships, attackers create complex implementation logic to increase the analysis difficulty for security engines.
  2. Forging Well-Known Contracts: These types of attack contracts impersonate reputable project contracts by using fake contract names and implementing processes, misleading the engine and thereby increasing the likelihood of misidentifying risks.
  3. Employing Concealed Trigger Mechanisms: These attack contracts bury trigger conditions deep within, often concealing them within user transaction behaviors. They might also utilize complex manipulation of transaction behavior, such as nesting multiple layers of conditional checks before invoking actions like halting transactions, inflating supply, or transferring assets. This enables real-time modification of contract states and facilitates the theft of user assets.
  4. Falsifying Transaction Data: To make transactions appear more genuine, attackers might randomly trigger actions like airdrops or wash trading. This serves a dual purpose: to entice more users and to make the transaction behavior seem more natural.

Case Analysis

This token is issued on the ETH Mainnet, with the contract address: 0x43571a39f5f7799607075883d9ccD10427AF69Be.

After analyzing the contract code, it can be observed that this contract attempts to implement a “transfer blacklist mechanism” for holder account addresses. If the transfer address is on the blacklist, the transfer transaction will fail. This is a typical Honeypot token mechanism that ultimately prevents holders from selling their assets.

However, for the majority of users, they may not have the ability to read and analyze code, making it challenging to identify these security risks through code auditing. This article lists the mainstream tools available on the market for analyzing fraud risks in EVM smart contracts. If you wish to evaluate the fraud risk associated with smart contracts that have already been deployed, you can use the following tools, with the contract address mentioned above serving as an illustration:

GoPlus Security

  1. Open the GoPlus website and select the blockchain network, such as the Ethereum Mainnet or other Layer2 networks.

2. Enter the contract address you want to query, and click the “Check” button to obtain information about the contract’s risks. The query result displays that there is a risk warning listed under “Honeypot Risk,” indicating that the contract has a transfer blacklist in place.

Token Sniffer

  1. Open Token Sniffer, enter the contract address you want to query, and select the corresponding contract from the search results.

2. Subsequently, the risk query result is displayed. We can see that in the “Swap Analysis” section, this contract did not pass this test, indicating that the contract itself carries Honeypot risk.

Using the aforementioned analysis tools, users can quickly identify the fraud risks in smart contracts and analyze the dangers. Once the risk of Honeypots is detected, it is strongly recommended to refrain from participating in order to prevent falling prey to contracts of this nature.

Conclusion

As hackers continually evolve their attack strategies, security defense becomes an increasingly challenging task. As blockchain users, when facing Honeypot scams, we need to pay attention to the following points:

  • It’s crucial to thoroughly understand the true nature of the tokens, including their liquidity, price trends, and more before purchasing tokens.
  • Carefully examine the token contract code to check for malicious code or any anomalies. If you don’t have the coding skills, you can use tools or visit reputable market websites to assess the risk associated with the token contract.
  • Do not easily trust so-called airdrops or “pump and dump” schemes, as these are often part of scams.
  • Avoid purchasing tokens on unknown exchanges or wallets; opt for reputable exchanges or wallets instead.

Learning about crypto security should remain an ongoing process. Only through this can one effectively tackle the challenges posed by the emerging and evolving security risks.

--

--

GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.