Uniswap Honeypot Scam — Analysis
If you don’t know Uniswap, it’s a decentralized cryptocurrency exchange running on Ethereum that’s been very popular lately. And with anything popular in crypto, you have plenty of scams happening in broad daylight.
In this article, I’m going to look into a common type of honeypot scam on Uniswap that involves listing a “malicious” token that lets people buy it for ETH, but won’t let them swap it back and cash in.
Uniswap — (almost) anything goes
Unlike centralized exchanges, Uniswap doesn’t employ an order book. Instead, you get something called liquidity pools which are created by depositing two tokens into a smart contract, which then creates a pair that can be traded by Uniswap users.
For example, suppose I create token ABC and I want to let people trade it for ETH. To do that I’ll create a Uniswap pool ABC-ETH by depositing an X amount of my token along with a Y amount of ETH. In essence, I’m creating liquidity by pairing my token with my own ETH. If anyone else holds some ABC, they can now exchange it for ETH at the price that is set by the pool, and vice versa.
The price itself is determined by the current ratio of ABC to ETH. I won’t go into the details here, there’s a better source for that here. Suffice to say that the more you have of one of the pair in the pool, the higher the price is going to be if you want to buy the other one. i.e. the more ETH will be added to the pool, the higher the price of each ABC will be and vice versa.
Anybody can list a token on Uniswap, provided they are willing to pay the gas price and back it up with some liquidity in the form of Ether.
Malicious Tokens and Honeypots
Your token must be an ERC20 token if you want to create a pair, so you can trust that any pair on Uniswap will “technically” involve ERC20 tokens.
But there’s a problem: Uniswap only cares that your token implements the ERC20 standard, not HOW it actually implement it. In other words, you can list a malicious, broken, or otherwise experimental token without anyone batting an eye.
This brings us to the subject of this: Honeypot tokens.
A honeypot token is a malicious ERC20 that, once listed as part of a pair on Uniswap (usually with ETH), can be traded in exchange for ETH, but can’t be traded back. In other words, an unlucky trader that buys this token will now be stuck with it, unable to cash out.
How does this scam work?
A malicious actor will create a “scam” token along with a liquidity pool where they will pair this token with ETH. The perpetrator will then put some ETH into the pool to serve as the “honey”.
A common trading strategy on Uniswap is to track brand new (under 3 hour) listings and pick promising “gems” to buy. Many of these new tokens usually pump in the first few hours after listing on Uniswap, and the brave traders who are able to get in early can make decent profits very quickly.
Remember our “honey”? A brand new token backed by a hefty sum of ETH is often seen as a promising horse — After all, it would appear somebody is willing to back it with a nice chunk of change.
So how does the scammer make money here?
A number of traders are going to buy the token for ETH, thus increasing the amount of ETH in the pool. Once the scam runs out of steam and people stop buying, the scammer will pull the initial liquidity and then trade their own reserve of the tokens for the ETH that remains in the pool, making a cool profit.
But wait, how can the scammer trade their token for ETH while others can’t?
The Code
Let’s take a closer look at the token in question to truly figure out what’s up.
Here are two snippets of code that depict a “transfer” function that move a number of tokens from a sender to a recipient.
Disregard that it’s not called “transfer” in one of the images, it is still used for that purpose. Looks mostly the same, but exhibit A has an internal modifier called “burnTokenCheck”. In Solidity, this means that some additional function has to run before the function in question can be executed.
*Modifiers are often used to run a quick check or to modify a variable before running a function.
Let’s see what “burnTokenCheck” does, shall we?
That’s a handful to unpack, but here’s the TL;DR: If you aren’t the owner of the token (the address that deployed it), or have been whitelisted by the owner, you can’t transfer your tokens to anyone. You got scammed.
An Actual Scam
Here is a Uniswap honeypot scam still in progress as of this writing, which appears to be a knock-off of this project. In this instance, a scammer has created a token with the code listed above. After creating a liquidity pool of around $300k worth of ETH to back the scam, and ~24 (as of this writing) victims later, the total ETH pool is now worth $343k.
That’s a cool $43k in profit when all is said and done.
Summary
In short, Uniswap is still the wild west for crypto trades. If you intend to dive into this seedy underbelly, make sure you look into the code of the token you are buying and compare it to known ERC20 implementations. If it looks off, don’t buy it.
References
*Want to contact me? Ping me on Twitter @daniel_a_blank