Airdrop Mania Sees Latest Airdrop Rug Pull on Buyers Through Smart Contract Exploit
As reported by @cat5749, a scam surfaced on Dec. 31, 2021 to reward $YEAR tokens to ETH transactions based on the contents of their Metamask wallet.
Investors in a new cryptocurrency called $YEAR were the subject of a honeypot scam, as tweeted by @cat5749. Essentially a token creator used a website called EtherWrapped that connected to a Metamask wallet. The individual or group of individuals allotted $YEAR token rewards to users based on their ETH transactions throughout the previous year.
Everything on Ethereum is handled via smart contracts which run on the Ethereum Virtual Machine. Smart contracts can be freely viewed using Etherscan. To create a new token, an entity must create a new smart contract in a decentralized application language called Solidity and deploy it to the Ethereum Virtual Machine. Initially, when the contract is uploaded, it is an “unverified” contract.
In the case of this scam, the smart contract was verified when members of the Ethereum community clamored for verification. By verification, the contract became public. This means that the smart contract code was open to scrutiny.
Hidden in plain sight
A newer exploit is for malicious entities to create seemingly benign smart contracts, with traps hidden in plain sight. These are impervious to code inspections, as there are often no obvious signs that the smart contract owner wishes to engage in malicious activity. In the case of the $YEAR token and smart contract, a Twitter user named @cat5749 and others examined that smart contract for apparent traps in the code. They couldn’t find anything that looked suspicious. They came across a function called “_burnMechanism” which would fail if contact was attempted with the contract owner. This didn’t raise any obvious red flags, but would prove instrumental in diagnosing how the attack happened.
Revoking ownership to crash new coin
The owner revoked ownership of the contract, and made its new owner the decentralized exchange, UniSwap V2. This meant that only purchases could be made from UniSwap V2, but nothing could be sold to UniSwap V2. The smart contract owner would then become the only seller, causing the price of the $YEAR token to increase. As users saw the price increasing, FOMO made them want to buy.
When a new token is created, the creator must develop a way for users to buy and sell the token. This sometimes means that the creator will place a valuable token such as ETH and their new token in a trading pool. Buyers of the new token will need to supply the valuable token to get the new token. What can happen is that the creator can pull out his original valuable token plus the new token. Due to the way automated market makers work, this will remove more of the valuable token than the worthless token.
The creator then pulled out liquidity from UniSwap V2, including over 30 ETH, and caused the new token to crash, leaving some very disgruntled investors.
What do you think about this subject? Write to us and tell us!
Disclaimer
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.