Published in · 6 min read · Apr 1, 2022
--
For many people that buy, trade, and sell crypto, smart contracts have an air of mystique around them. Everyone has used one, but not many people have seen one, and even fewer people know how to build one.
This experience gap allows savvy hackers to trick people out of their hard-earned digital money. This article goes over malicious smart contracts: how they work, how to spot one, and how to avoid them altogether.
Malicious smart contracts are smart contracts that attempt to steal or misuse deposited funds. Malicious smart contracts come in many variations, so I’ll give a couple of examples:
- Approval contracts that give a hacker access to a certain token you own
- Liquidity pool smart contracts that never actually let you withdraw your money
- Deposit contracts that sends your crypto over to a hacker’s wallet
Malicious contracts are the execution layers of crypto smart contract scams. These scams rely on social engineering to get you to sign their smart contracts, and then execute the theft once the smart contract is signed.
A famous example of one of these crypto smart contract scams was the $1.7m February 2022 OpenSea phishing attack.
By opening up this phishing email, users were asked to sign a malicious smart contract that transferred all their NFTs to a hacker’s address.
If you’re a tech-savvy web3 veteran, you might be wondering, “who actually falls for these scams?” The truth is that it’s difficult to detect malicious smart contracts, and in some cases, even mathematically impossible.
There’s a theorem in computer science called Rice’s theorem, which essentially states that properties of programs can never be algorithmically determined.
The consequence of Rice’s theorem is that we’ll never be sure if the contracts we’re interacting with are malicious.
We will never be sure if the contracts we’re interacting with are malicious or not.
Falling for a malicious contract can happen to anyone. And even though most malicious contracts are fairly easy to spot to a well-informed eye, there are ways to obfuscate code such that the behavior of the smart contract is unknown. There really are no ways to fully guard yourself against malicious contracts at a programmatic level.
There’s one main difference between web3 and web2 personal security: in web3, it only takes a single click to lose everything you own. Outside of that, web3 and web2 scams have the same two steps:
- Social engineering: a person/organization will convince you to enter their website.
- Payload: the website/app has a mechanism that steals your money. In web2, that’s usually a wire transfer. In web3, it’s a single click of a smart contract.
As previously established, it’s difficult (and sometimes impossible) to determine if a smart contract is malicious or not. That means that the only way to protect yourself from web3 scams is to detect and avoid the portions of the scam that lead you to sign the malicious smart contract.
Detecting social engineering
Social engineering in web3 scamming takes many forms, but there’s a few categories to watch out for.
- Giveaway: a scammer will tell you that you’re eligible for a giveaway, and ask you to sign a smart contract on their payload website.
- Manipulation: a scammer will pose as a “trading buddy,” letting you know about profitable new projects they come across. Eventually, they lead you to a payload website of their own creation.
- Impersonation: a scammer will pose as a MetaMask engineer and ask you to provide your private key, sometimes even over Twitter or Discord.
Be wary of anyone being overly kind or supportive to you over the Internet. If it sounds too good to be true, it probably is! You cannot trust anybody, no matter who they claim to be.
Detecting a payload site
If you somehow fall victim to social engineering without detecting it, it’s not too late! Although malicious smart contracts may be difficult to detect, payload sites have some common traits that can help you detect a scam before it’s too late.
This site is an example of a payload site, and it looks relatively normal. It’s a decent looking website advertising a plausible product. If you’re looking very closely, you’ll see a few grammatical mistakes, but nothing egregious enough to make you turn your head.
Scamming has evolved since the 2000s: the payload sites of today have big budgets, and are going to look convincing and professional. A general rule is that, most times, you won’t know if a site is a payload unless you look outside the site. Here are the personal steps I take to determine if a site is a payload or not:
- Look at the URL. If it’s something like asdlkjyndz242.fjk334.ru… don’t proceed. Sometimes, the URL can look legitimate; for example, the above screenshot is on a .com domain and is on https.
- Search for their social media profiles. Many of these scam sites have Twitter profiles with a few dead giveaways. The payload site above had a Twitter page with 25k (fake) followers, yet had no tweets, no Discord, & no interaction with members of its community.
- A little trick: “[page name] scam reddit” on Google. There will sometimes be real people commenting about the scam on Reddit… that being said, take everything you see online with a grain of salt.
- Look for content being produced by the company. Almost every legitimate crypto company has spent significant time and resources creating educational content on crypto. Try to find their blog.
- If you’ve done all of these, and no red flags go off, make a final decision on whether or not to use the site. Do a short background check on the person that referred you to the site, do your due diligence, and check once more before you click that button.
It’s important that you follow these rules for every site you come across. You probably won’t know that you’re on a payload website if you already fell for the social engineering, so just assume every website is a payload, and proceed with pessimism.
A note on effectiveness
These tips are, by no means, failsafe measures to avoid scams and malicious contracts. Following these rules, however, greatly reduces your risk horizon. Almost all web2 and web3 scams are targeted towards optimistic, newbie users, such as the elderly and the inexperienced. It’s cheaper, easier, and more profitable to market towards populations that are wholly unable to detect scams and social engineering. While there are scams that will circumvent these tips & exploit even the most knowledgeable of users, these scams are in the minority of minorities.
Malicious smart contracts are difficult to detect without much knowledge, and can sometimes be impossible to detect if coded as such. That being said, malicious smart contracts don’t work on their own: they need a payload website & social engineering to successfully steal your money.
While malicious smart contracts themselves are difficult to identify, there are general rules you can follow to avoid interacting with them in the first place.
Harpie gives crypto traders the power to defend themselves against theft. With their proprietary on-chain security solution, Harpie safeguards wallets in real time by monitoring for and blocking malicious transactions before they confirm on chain. Harpie simplifies crypto security with an intuitive and holistic platform, helping users of all experience levels eliminate the threat of blockchain-based theft. Harpie launched in September 2022 and is backed by leading Web3 names including Dragonfly Capital, Coinbase Ventures, and OpenSea.