Ukraine airdrop canceled, why I brought Ukraine DAO token?

GoPlus Security
5 min readMar 17, 2022

--

As a DeFi farmer, we sometimes earn by chasing trend and getting FOMO and ape in. The earlier we join and farm new projects, the higher possibility we can earn high yields. Token prices are low at the beginning, and the APRs are super high compared to traditional finance, sometimes even as high as millions percent per year.

Days ago, Ukraine accepted crypto as donations, then its official Twitter announced airdrop snapshot for donators but canceled it later and sold NFT instead. Whatever the thing was, topics about “Ukraine DAO” got spread all over the crypto world, we can see it everywhere. Meanwhile, in a open and permissionless market environment, the cost for making a scam is super low, and there’s always some attackers creating traps.

Several days ago on March 1st, toast.eth tweeted that he got some Ukraine DAO token in his public address, and it seemed that he could sell it for around 110 ETH. But things looked weird, so he claimed he would not do that as there might be some potential risk in the smart contract. And he warned everyone about that sort of risk.

In fact, he was right. Let’s find the data on-chain and take a look at what happened. We found the token contract address on Etherscan and checked it on Dextools. We can see that within two days, the token price surged about 20X, some people could sell it, everything seems all right.

But in fact , you can never sell it. Only some whitelist addresses can actually sell it into ETH, and of course, those addresses are the attacker’s own.

And after all of that, the attacker removed all the liquidity, and the game was over. During those days, he earned around 400 ETH. All those money went to his own pocket. His cost? I think maybe only some gas fees, no more than 5 ETH.

And what’s more, that’s only ONE fake Ukraine DAO token. During those days, around 50 Ukraine DAO token came out, some on Ethereum, some on BSC.

Except “Ukraine DAO,” according to Peckshield, the DeFi scam pulled 9.68 M in February 2022, 50% more than that of January. Those scams include rug pull, sell tax, sell limit, etc.

How do we get scammed?

As a DeFi farmer, we always look for opportunities, follow Twitter, check the news, chat in groups. And sometimes, we monitor diamond hand addresses. And scammers also find us via those way.

Channels

As mentioned before, some scammers find us via social media, like viral spread token addresses on discord and telegram. Some pretend to be real projects and add the hashtag on Twitter, waiting for people to search for them.

Like that Ukraine DAO we mentioned earlier, others aimed at some diamond hand addresses. Those addresses are owned by those who can always get first-hand information, find good projects and earn money. So by monitoring those addresses, people can follow their actions to earn as well. So that Ukraine DAO sent fake token to toast.eth’s address, and of course, some people are watching that address. And once they saw the new position of the account, they might just ape in and buy that token. And, of course, Ukraine DAO token were airdropped to a bunch of those addresses.

Then, how can those scammers make a profit after people buy in? There are several types of scams, including:

  • rug pull. The scammer provides initial liquidity and waits for people to buy. Then they remove all liquidity and earn a profit. That’s the easiest one.
  • Honey pot. You can only buy but can not sell. Only some whitelist addresses can sell.
  • Anti whale. The scammer poses a sell limitation on those tokens.
  • Stop token transactions. The scammer has the right in the contract to stop transactions.
  • Sell tax, or sell tax can be changed. Like that fake Ukraine DAO token, the selling tax is 100%, which means you give up everything when you sell.
  • Unlimited mint. The scammer can mint more tokens.
  • Add whitelist/blacklist.

How to protect ourselves from a scammer? (while still being an ape)

Generally, if we can read smart contract code, everything can be solved. But in most cases, we can not read the code, or maybe we do not have enough time for doing that.

So if you want to quickly detect flaws in smart contracts with little or no cost, I highly recommend using Go+ security API. By entering token contract addresses and waiting for several seconds, Go+ can automatically detect any risk in that token. Now Go+ supports six blockchains, covering 27 sorts of security risks.

Using Go+ is super simple. In web2.0, we already have various tools to protect us from computer viruses. In web3.0, indeed, we need ones like that. And that’s why Go+’s here secure your every move in crypto.

About Go+

Go+ is an open, permissionless, and user-driven security service provider for Web3. Go+ security engine covers Multi-chain with multi-risk dimension detection for crypto project teams and ordinary investors.

Go+ builds the security platform in a dynamic, and decentralized approach by providing practical, attractive & flexible incentives to qualified security participants.

Go+ develops a complete, dynamic and automatic security detecting platform, including token detection, real-time risk warning, dApp contract security, and interaction security. We are preparing for a Security DAO to build a better web3 Security Ecosystem.

#GoPlus

--

--

GoPlus Security
GoPlus Security

Written by GoPlus Security

Empowering a #SaferWeb3 with user-driven, open access security solutions. Championing user education for a fortified front against adversaries.

No responses yet