Honeypot attacks increased 6-fold in the past week, targeting new users of decentralized exchange
As a result of the FTX incident, a large number of users have recently transferred their digital assets from centralized exchanges to decentralized wallets, resulting in a surge of active users on the chain. The number of DEX users and transaction volume have both reached six-month highs.
Meanwhile, Honeypot attackers have also been active. As of November 21, 2022, GoPlus Security detected more than 120 new attack methods in the past week, and the number of attacks has increased six-fold. These data suggest that the recent increase in the number of users on the chain has been accompanied by more active attackers. New users who have just arrived in the decentralized “dark forest” lack security awareness in the unfamiliar environment and don’t know about common attack methods. The attackers repeatedly succeeded.
GoPlus Security’s analysis shows that with strengthened contract attacks and defenses, Honeypot’s new attack methods are becoming more complex and dynamic. We have reviewed several common attack methods:
1. Confusing the code
It increases invalid logic or confusing calls through reduced code readability, and increases the difficulty of security engine analysis through complex implementation logic.
2. Forging well-known contracts
By forging the attack contract into the contract of a well-known project, the engine is misled by a forged contract name and contract implementation process, so that the probability of misjudgment will be increased.
3. Hidden triggers
The trigger conditions are hidden in the user’s trading behavior, which is further complicated. Only by nesting several layers of judgment conditions can risk behaviors such as trading interruption, mint, or transfer be triggered, so as to achieve the purpose of modifying the contract status in real-time and stealing the user’s assets.
4. Forging transaction data
In order to make the transaction look more real, the attacker will also trigger random actions such as airdrops to attract more users to trade and to make the transaction look more natural.
In this example, the attacker uses a variety of methods to disguise his attack intent, ultimately achieving two main goals:
1. Trading suspension
The lpTotalSupply returned by line 241 cannot be reduced, otherwise the require judgment of line 245 will not be satisfied, resulting in transaction failure and realizing the purpose of transaction suspension.
_uniswapV2Pair is not necessarily a Uniswap Pair contract. It could also be another contract that implements the totalSupply method deployed by the project owner. As long as the return value of this method is less than the value of the last transaction (removeLiquidity or other methods to change this value), the transaction can be suspended.
2. Mint before transfer
Suppose the judgment condition of line 257 is satisfied that from is a specific address and amount is greater than totalSupply. In that case, a balance greater than totalSupply will be added to from without any reason, to achieve the result of mint before transfer.
GoPlus Security reminds users that Honeypot attacks often include front-loading scenarios that can get users hooked through wallet airdrops, posting transaction data on market websites, disseminating false information in communities or attempting to contact well-known projects. Rampant market panic, incorrect information, and distorted user operations will give attackers more opportunities to take advantage. GoPlus Security will monitor the attackers in real time and report new attack methods promptly.
GoPlus Security API provides real-time and accurate Honeypot identification. Users can use the security detection function in GoPlus partner products to access real-time security data updated by GoPlus to avoid risks.
1. TokenPocket — Built-in Token security detection and contract approval security detection functions.
2. ONTO Wallet — Built-in Token security detection function.
3. HyperPay — Built-in Token security detection function.
4. BitKeep — Built-in Token security detection function.
Mask Network — Available for queries of Token and NFT security information, also with the function of contract approval security detection.
AVE — Available for queries of Token security information.
ApeSpace — Available for queries of Token security information.
GoPlusEco — Allows you to directly enter security related questions and search for solutions.