Beginner’s Guide to Web3 Security: Avoiding Honeypot Scams

SlowMist
6 min readSep 9, 2024

--

Background

In the previous edition of the Web3 Security Guide, we explored common fake mining pool scams. This time, we will focus on honeypot scams. A honeypot is a deceptive scam that lures users with promises of profits but prevents them from withdrawing their funds once invested. Similarly, in honeypot scams, users invest funds, driving up the token’s price and attracting more buyers, but eventually discover they’re unable to sell, leaving their funds trapped.

In our guide, we will discuss why users fall into honeypot scams, the typical tactics used by scammers, and safety tips to help users stay vigilant and avoid these traps.

So Why Do Users Fall for Honeypot Scams?

Let’s examine some of the common reasons users get caught in honeypot scams:

1. Fake Projects

Just as there are counterfeit currencies in the real world, the crypto space is also filled with fake tokens. Some fraudulent projects mimic well-known tokens by copying their names and logos, creating identical token contracts. Users who fail to verify the token’s contract address may unwittingly invest in a honeypot scam and find themselves unable to sell the tokens.

2. “FOMO”(Feat or Missing Out) Mentality

Some users are aware that a project is unreliable or have already noticed suspicious signs, such as consecutive green candlesticks in the chart, yet they convince themselves they can “get in and out quickly.” They hope to buy in during the rise and sell at the right moment, thinking it’s a foolproof plan. However, when they try to sell, they either find the tokens are impossible to sell or can only sell a minuscule amount.

3. Scammer-Induced Investments

Another common scenario involves scammers persuading users to invest. One victim described their experience: “I asked a question in a Telegram group, and someone answered a lot of my questions and gave me advice. After two days of chatting privately, I thought he seemed trustworthy. He then suggested that I invest in a new token on PancakeSwap and provided a contract address. The token’s price started soaring after I bought it, and he told me this was a rare opportunity that comes only once every six months. He urged me to invest more. Sensing something was off, I didn’t follow his advice, and when he continued pressuring me, I realized it was a scam. I asked the group for help, and they confirmed it was a honeypot token. I tried to sell but couldn’t, and when the scammer realized I wouldn’t invest further, he blocked me.”

Typical Tactics of Honeypot Scams

Understanding why users fall into honeypot scams is the first step. Now, let’s look at how scammers execute these schemes. They typically begin by deploying a smart contract with hidden traps, followed by aggressive marketing and token-pumping to lure in users. Some scammers send tokens to wallets or exchanges to create the illusion of widespread participation or even transfer tokens to high-profile crypto wallets to fake celebrity endorsements.

Once users purchase the honeypot tokens, they often see the token’s value rapidly increase and may decide to hold for even greater profits. However, the contract restricts their ability to sell through various methods:

-Adding Buyers to a Blacklist

Once a user buys honeypot tokens, the scammer adds their address to a blacklist, preventing them from selling.

For example, in the case of the honeypot token GROKAI, the scammer’s address was 0x2052C307a5e6d50F6a908a91fF7e605Eb0e0a2EC.

The scammer altered the token’s router to Aontroller contract address 0x7a85810414C3311A45486b03ceCCD3a32590E61E, allowing them to blacklist users and prevent token sales.

- Modifying Token Balances

Scammers can manipulate token balances via the smart contract, reducing the number of tokens users hold without reflecting these changes on blockchain explorers. This means users see the correct balance in their wallets but are unable to sell more than what the contract permits.

- Setting High Sale Thresholds

Some honeypot scams allow token sales but set an unattainable minimum sale threshold. For example, a user might need to hold more tokens than they actually own, or a large sale tax may apply. More devious scams dynamically adjust the threshold, preventing users from ever meeting the conditions to sell. If a user has 1,000 tokens, the contract might require 1,200 tokens to sell, prompting the user to buy more, only to have the threshold increase again to 1,400 tokens.

Conclusion

In this guide, we have examined why users fall into honeypot scams and the typical methods used by scammers. To avoid falling victim, consider the following precautions:

1. Educate yourself about the cryptocurrency project and evaluate its team’s background. Be cautious of tokens promising unusually high returns, as they often come with higher risks.

2. Use tools like **MistTrack** to check the risk profile of wallet addresses or **GoPlus**’s token security checker to assess whether a token might be a honeypot scam before making a decision.

3. Always search by the contract address, not the token name, to avoid counterfeit projects.

4. Check whether the token’s contract has been audited and verified through platforms like Etherscan or BscScan, and read community reviews before investing.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist
SlowMist

Written by SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

No responses yet