GoPlus Security Deep Dive: On How We Discovered Over Half a Million Risky Tokens on Five Ethereum L2 Chains

GoPlus Security
10 min readJun 14, 2024

--

13.6 Million Users have been affected over the last three Quarters

Introduction

With the rapid development of Web3, more and more retail is entering the space and investing. Among the areas of on-chain investment, meme tokens are amongst the most beloved and attractive investment vehicles. Meme tokens have characteristics such as fast issuance, high volatility, and anonymity of issuers. However, a large number of scammers have exploited this meme token frenzy, cloaked in the guise of meme tokens, and carried out large-scale on-chain scams against users. These criminals use the characteristics of smart contracts to design various risky tokens, deceive users into investing, and then illegally profit by triggering code backdoors and other methods.

These risky tokens usually have the following characteristics: contract creators have unlimited issuance rights, users can only buy but cannot sell, the presence of malicious black and whitelist settings, transaction tax can be maliciously tampered with, etc. Once users buy these tokens, they are likely to cause financial loss and cannot be recovered. To deal with the increasingly serious risk of fraud, it is particularly important to identify and warn of risky tokens. This article will analyze the status quo of risky tokens on five popular Ethereum Layer-2 networks (Base, Arbitrum, Optimism, Blast, Mantle) over the past three quarters based on the GoPlus Security API and real on-chain data in the hope of providing references and warnings for the majority of users.

Methodology

Data Source

The GoPlus Security API is an open, license-free Web3.0 security data API service provided by the GoPlus team for a wide range of Web3.0 developers and end users. This service not only provides security guarantees for professional developers in the technical field, but also pays more attention to the security needs of C-end users, aiming to build a safer and more trustworthy Web3.0 ecosystem.

  • Data on each chain, mainly counted and queried through DUNE

Analysis Method

We scanned a total of 564,180 Suspected Risky Tokens on the top 5 L2 Chains based on the GoPlus Security API (called by products integrated with the GoPlus Security API).

We used DUNE to perform data analysis and visualization on the aforementioned risky tokens, and created an open-source dashboard, showing three data indicators:

  1. The number of unique traders involved in suspected risky tokens
  2. The transaction amount involved in suspected risky tokens
  3. All suspected risky token contract addresses

The sample period of the data in this article is within the past three quarters. Specifically, it is from August 1, 2023 to May 24, 2024. Since Blast was launched in March 2024, its sample period starts from March 2024, but some of its on-chain ERC20 tokens were issued in February 2024.

Risky Token Definition

The definition of Suspected Risky Token in this article mainly comes from Token Risk Classification(TRC). The detailed definition of each condition below can be found in TRC. Specifically, in this article, any smart contract that meets any of the following conditions is considered a suspected risky token.

  • Honeypot (TRC-001): The token has a “honeypot” mechanism, where users can buy but cannot sell
  • OwnershipRetrieval (TRC-003): The token ownership can be maliciously retrieved
  • AntiWhale (TRC-014): The token contract can restrict transactions by large holders, and specific users may be unable to cash out freely
  • TransferPausable (TRC-011): Token transfers can be paused, and user funds may be maliciously frozen
  • SlippageModification (TRC-010): The token contract can arbitrarily modify slippage, and users may suffer unpredictable losses
  • BlacklistFunction (TRC-008): The token contract can set a blacklist, and specific users may be unable to transfer freely
  • WhitelistFunction (TRC-013): The token contract can set a whitelist, and specific users may be unable to transfer freely
  • TradingCooldown (TRC-016): The token contract can set a trading cooldown period, and users may be unable to conduct transactions in a timely manner
  • SelfDestruction (TRC-006): The token contract can self-destruct, and the tokens held by users may suddenly disappear
  • ExternalCall (TRC-007): The token contract can call external contracts, posing the risk of malicious exploitation
  • PersonalSlippageModification (TRC-012): The slippage for specific users can be modified, and targeted users may suffer directed losses
  • AntiWhaleModification (TRC-015): The transaction restrictions for large holders can be modified, posing the risk of further harming the interests of specific users
  • BalanceManipulation (TRC-004): The token balance can be arbitrarily modified, and the number of tokens held by users may suddenly change
  • HiddenOwnership (TRC-005): The identity of the token owner is hidden, making it difficult to track the responsible party
  • FullSaleRestriction (TRC-009): The token contract can fully restrict selling, and holders may be unable to cash out on time
  • FullBuyRestriction: The token contract can fully restrict buying, and holders may be unable to cash out on time
  • NotOpenSource: The token contract code is not open-source

BASE

Number of new tokens on BASE and the number of newly suspected risky tokens

In the past three quarters, a total of 573,484 ERC20 tokens have been added to BASE, of which 381,790 new suspected scam ERC20 tokens have been scanned, accounting for about 66.6%! More than half of the newly issued ERC20 tokens on BASE are suspected to be risky tokens.

The trend of the number of new ERC20 tokens on BASE decreased first, followed by a very significant increase. Since March 2024, the number of new ERC20 tokens on BASE increased significantly. In April 2024, the number of new ERC20 tokens on BASE reached 240,000.

The number of new suspected scam ERC20 tokens on BASE is highly positively correlated with the number of new ERC20 tokens, and the trends of the two are similar.

Number of user addresses involved in suspected risky tokens on Base

Before March 2024, the number of addresses involved in suspected risky tokens on BASE was relatively stable, approximately in the range of 230,000–300,000. But overall, the number of addresses involved in suspected risky tokens on BASE shows an upward trend, slowly increasing from 287,000 in August 2023 to 372,000 in February 2024. Since then, there has been a sharp peak, reaching 1.135 million in March 2024 and 1.994 million in April 2024. Although it dropped to 1.301 million in May 2024, it was still much higher than in the same period in 2023. It can be seen that as time goes by, the risk of scams faced by users on the BASE is also increasing.

Arbitrum

Number of new tokens on Arbitrum and the number of newly suspected risky tokens

In the past three quarters, a total of 95,203 ERC20 tokens have been added to Arbitrum, of which 85,633 new suspected scam ERC20 tokens have been scanned, accounting for about 89.9%!

The number of new ERC20 tokens on Arbitrum is relatively stable, with a slight upward trend. From 8,520 added in August 2023 to 12,349 added in April 2024.

As with BASE, the number of newly suspected risky tokens on Arbitrum is highly positively correlated with the number of new ERC20 tokens, with the trends being consistent.

Number of user addresses involved in suspected risky tokens on Arbitrum

The number of addresses involved in suspected risky tokens on Arbitrum shows a clear upward trend. During the period from March to May 2024, the number increased significantly. The number of addresses involved in suspected risky tokens on Arbitrum has increased from 36,000 in August 2023 to 3.78 million in May 2024; an increase of about 105x!

In May 2024, the suspected risky tokens on Arbitrum affected 3.78 million users, posing a serious threat to the safety of user assets.

Optimism

Number of new tokens on Optimism and the number of newly suspected risky tokens

In the past three quarters, a total of 73,737 ERC20 tokens have been added to Optimism, of which 70,089 new suspected scam ERC20 tokens have been scanned, accounting for about 95%! That is, in the past three quarters, about 95% of the newly added ERC20 tokens on Optimism are suspected risky tokens!

The number of new ERC20 tokens on Optimism is also highly positively correlated with the number of new suspected scam ERC20 tokens.

The trend of the number of new ERC20 tokens is to first increase and then decrease. The chains mentioned in the previous article have significantly increased the number of new ERC20 tokens during the bull market of cryptocurrency from March to May 2024, while the number of new ERC20 tokens on Optimism is relatively small,

The monthly growth is about 4,500 ERC20 tokens.

Number of user addresses involved in suspected risky tokens on Optimism

The number of addresses involved in suspected risky tokens on Optimism is significantly lower than in the previous two chains. Before March 2024, the number of fluctuations was relatively small. Between March and May 2024, the number of addresses involved in suspected risky tokens on Optimism increased significantly.

The number of new suspected scam ERC20 tokens on Optimism is relatively small from March to May 2024, but the number of addresses involved in suspected risky tokens has significantly increased during this period. The reason for this phenomenon may be due to the suspected risky tokens that have affected a large number of users during the bull market of cryptocurrencies, or it may be due to the fact that a small number of suspected risky tokens added during this period have affected a large number of users.

Blast

Number of new tokens on Blast and the number of newly suspected risky tokens

Blast was launched in March 2024, but transactions were already being conducted on its chain in February 2024, so data is only available from February to May 2024.

In the past three quarters, a total of 13,859 ERC20 tokens have been added to Blast, of which 12,608 new suspected scam ERC20 tokens have been scanned, accounting for about 91%.

The number of new ERC20 tokens on Blast is decreasing. After Blast was launched in March 2024, a large number of ERC20 tokens were added quickly, and then the number of new tokens gradually decreased. Among them, about 91% of the new ERC20 tokens are suspected to be risky tokens.

Number of user addresses involved in suspected risky tokens on Blast

After Blast was launched in March 2024, the user growth was rapid, and the on-chain transactions were active. Data shows that in March 2024, the number of addresses involved in suspicious scam contracts on Blast reached 642,000, close to the 663,000 on Optimism, indicating that transactions on suspected risky tokens on Blast were very active. As an emerging L2 chain, the fraud problem on Blast is emerging and requires close attention.

Mantle

Number of new tokens on Mantle and the number of newly suspected risky tokens

In the past three quarters, a total of 5,645 ERC20 tokens have been added to Mantle, of which 3,801 new suspected scam ERC20 tokens have been scanned, accounting for about 67.3%.

Both the number of new ERC20 tokens and the number of newly suspected scam ERC20 tokens on Mantle are decreasing.

The number of new suspected risky tokens on Mantle is the least among the five chains.

Number of user addresses involved in suspected risky tokens on Mantle

The number of addresses involved in suspected risky tokens on Mantle is generally less, even lower than the newly launched Blast. However, data shows that this indicator overall shows an upward trend, rising from 1,519 to about 54,000, an increase of more than 35 times, so the scam problem on Mantle is definitely worth noting.

Don’t trust, verify (by GoPlus)

In summary, the frantic rise in the number of addresses involved in suspected risky tokens across various Layer-2 Ethereum networks highlights a growing concern for investors and users. The data clearly shows that as the popularity of these networks increases, so does the risk of encountering scams, particularly with meme tokens. This trend is evident across all analyzed networks, including Base, Arbitrum, Optimism, Blast, and Mantle.

While Mantle has the lowest number of user addresses involved in these risky tokens, the sharp increase from 1,519 to about 54,000 addresses indicates a significant rise in scam activity that demands attention. As the whole space continues to evolve, we all need to remain vigilant and take proactive steps to safeguard against these threats. It’s a forever game of chess with malicious actors. Checkmate is always around the corner, so learn how to play the game.

--

--

GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.