The Qatar World Cup is coming, watch out for scams while enjoying the the last performance of the football superstars

GoPlus Security
8 min readNov 21, 2022

--

I. Crypto scams related to the World Cup are increasing rapidly

The 2022 Qatar World Cup is just around the corner, and it is highly likely that this will be the last World Cup for Messi, Ronaldo, Benzema, Modric, Lewandowski and other players. With the “last battle of the gods” approaching, various blockchain scams related to the World Cup are emerging.

According to the data from GoPlus Token Detection Engine, in the last week alone, there were more than 1,000 risky tokens with “FIFA” or “World Cup” in their names, involving more than 160,000 addresses. The cumulative liquidity was more than $5 million.

The following table contains some of the main risk types.

At the same time, various NFTs related to the World Cup are also emerging, including a large number of NFTs with serious risks. Therefore, while enjoying the World Cup, we should not be relaxed about risks associated with topical tokens and NFT projects, and use easy security detection tools properly to protect our crypto assets.

II. Introduction of Token risks users may encounter

There are many kinds of token risks, and it’s possible that there will be a concentrated outbreak during the World Cup. Here are some major and serious risks.

1.Honeypot Tokens

These are tokens that contain explicitly malicious code that prevents users from trading or causes loss of assets.

For example, the token below (BNB Chain, 0xaf25a7336f4984976febc5c0bca62caeb57b4a97) has malicious code.

As shown above, all relevant functions in the contract code are implemented through external contracts, e.g. the balance of all holders is stored in an external contract. This means that as soon as this external contract is replaced with a new one, the balance of all holders will be directly cleared. This is malicious code with serious risks.

2. Self-destructible tokens

Contract self-destruction means that the contract can be destroyed, it no longer exists after the destruction, so does the corresponding assets.

To put it simply, the contract is gone. If the contract is gone, the corresponding Token will be gone too, the corresponding assets of the user will also disappear directly.

And according to statistics, tokens with self-destruct function will eventually activate the function.

For example, the Token below (Ethereum, 0xc1f5ba8bab3ca299f9817876a6715627f9e2b11a) has a self-destruct function.

As shown above, once the “kill” function in the code is activated, the contract will self-destruct and its Token will disappear.

3. Owner can modify the balance

That is, there is a function in the token contract that allows the owner address to modify the token balance at another address without the permission of the victim address.

For example, the following Token (BSC chain, 0xf3f064ed4848345dd7505915c3d43c238831f1a2) has such a problem, the owner address can modify the balance of other addresses.

The main defective code is shown above, where the owner address can assign the token balance of “address from” directly to the address in “address[]” without permission.

III. Introduction of NFT risks users may encounter

In addition to Token, NFT also has various security risks. According to statistics from security institutions, many NFTs have certain security risks at the contract level (the table below lists several common and more serious NFT risks) :

And NFTs are easy to fake, so World Cup related NFT scams are likely to grow rapidly.

Here are some very serious NFT contract risks.

1. Restriction approvals resulting in the inability to trade

This means other addresses cannot perform contract approval except those in the whitelist. As decentralized NFT trading platforms require contract approval, users will not be able to trade the NFT on decentralized exchanges.

In this kind of scam, project owners normally use addresses in the whitelist to fake transaction data, users will then think transactions can be made when they see normal transaction data of the NFT on the exchange. But when users want to sell after they buy, it turns out that transactions cannot be made.

Typical example: https://etherscan.io/address/0xfad931e00b22eb97680776245ca3856ebcd5ff9f#code

In the case above, there is a requirement in the code of this NFT contract that the approved object cannot be a contract. As trading on Opensea requires approval to the contract, this NFT will not be able to be traded.

The code is shown in the picture below.

In the picture above, only the address in the “_addressTransferToContract” list can successfully approve (i.e. only the address in the white list can approve), and addresses not in the list will fail to give approvals to the contract.

2. Transfer NFTs without approvals

That is, the owner of an NFT can directly transfer the NFT from another address to the address specified by the owner without approval.

There are two ways to use this trick:

(1) Directly transfer NFT

As shown in the picture below, the NFT (Ethereum, 0xa9bcd4bd5b851479307fe71398ce2352c281e0c1) was directly transferred away after selling.

This type of scam is possible because its contract code is set up with an address that has all the approvals for the NFT. Then this address can directly take away NFTs on other addresses at any time. As shown in the picture below.

(2) Providing the NFT with so-called celebrity endorsement through faking celebrity’s holding and transferring record

There has been a lot of feedback from users recently, that some NFT projects promote support from an online celebrity and indicate that the online celebrity has traded before. They are interested to participate but have concerns of the security of the project. This is actually another specific model for “transfer without approval”.

The main process is as follows.

1. NFTs are minted to a public address of a celebrity. The NFT contract code has the logic of unapproved transfers.

2. Then find the right time to transfer the NFT away from the celebrity’s address. The chain will show that the celebrity’s address not only held but also transferred the NFT (the transfer step is very deceptive, users could easily take it that the celebrity has actually traded the NFT.)

3. The project owner can then obtain the so-called “celebrity endorsement” and further defraud users.

IIII. How users could defend against risks

1. Establish a sense of risk prevention and basic precautions.

(1) It needs to be clear that there will be more and more scams like the World Cup, and we must always pay attention. As the World Cup gets underway and the heat rises, more scams are bound to emerge. In addition to being related to the World Cup or FIFA, there may also be scams related to famous football stars (for example, there will be “Messi Token” and “Ronaldo Token”) or popular events. You have to pay attention all the time.

(2) Be cautious about Tokens/NFTs you are interested in. You should first learn basic information through the official website/community/Twitter.

(3) Be careful about tokens or links recommended by others to avoid being cheated.

The above attention points are not complicated, but why do attackers succeed repeatedly?

Firstly, scammers target a large number of users, and there are always fish biting the hook. Secondly, the scammers take advantage of users’ impatience, causing panic while leaving them no time to think it through. Thirdly, there is a lack of tools for users to quickly detect Token/NFT scams.

2. Learn to use security detection tools

To avoid various Token / NFT scams, you need to use detection tools to check their security before buying.

(1) For Token detection, you can use the GoPlus Token Security Detection Service

GoPlus token security detection service is one of the token detection services with the largest number of tokens covered, the most comprehensive detection items and the most accurate detection results.

Currently, its detection service has been connected to many well-known blockchain products such as TokenPocket, AveDex, Mask and Bitkeep.

Introduction page of token security testing on GoPlusEco (https://gopluseco.io/detail/49)

After opening it, select the chain of the token on the page and enter the address to view test results.

After clicking the test button, comprehensive security test results will appear, including dozens of security detection items such as contract security, honeypot risk, holdings and locked details.

(2) For NFT security, you can use the GoPlus NFT Security Detection Service

GoPlus NFT security detection service supports security detection for all major NFTs. Its security service has also been used by major platforms such as X2Y2.

GoPlus NFT introduction page on GoPlusEco (https://gopluseco.io/detail/75)

After opening it, select the public chain corresponding to the NFT on the page and enter the address to view test results.

After clicking the test button, comprehensive security test results will appear, including dozens of security detection items such as contract security, NFT authenticity and transaction information.

(3) Search directly in GoPluseco by entering the address.

You can search directly by entering an address in GoPlusEco, which has integrated Token and NFT security detection.

After entering an address, it will detect if the address has malicious behavior and provide the corresponding Token/NFT detection portal.

The above content is from GoPlusEco (https://gopluseco.io/), which matches users with the best security solutions by aggregating quality security applications or services in the industry. If you have a security-related question, come to GoPlusEco and ask, we have the answers.

During the World Cup, GoPlusEco (https://gopluseco.io/) will provide a World Cup security theme page, offering security services that can detect World Cup-related Tokens, NFTs and phishing sites to protect your assets.

--

--

GoPlus Security
GoPlus Security

Written by GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.

No responses yet