Background
Recently, X user @roffett_eth tweeted about the presence of many ERC20 honeypot tokens on the GMGN website’s trending list. Even though these tokens are labeled as “Everything is SAFU,” caution is still advised. As scammers may not have completed the entire rug pull process. SlowMist founder Cos noted that this issue is not limited to GMGN — it also appears on platforms like DEXTools and DEX Screener. This article aims to analyze common deceptive tactics used in honeypot tokens, outline their characteristics, and equip users, even those without technical expertise, with the knowledge to recognize such tokens and protect their funds.
Risks of HoneyPot Tokens
In our previous article, Introduction to Web3 Security | HoneyPot Token Scams, we explained why users often fall victim to honeypot scams and outlined common strategies used by scammers. Today, we’ll delve into specific examples of honeypot scams to examine the methods used by malicious actors.
One common feature in the crypto space is the Burn function, a legitimate operation intended to permanently destroy tokens, thereby reducing the circulating supply. However, in honeypot token scams, malicious developers use privileged addresses to invoke the Burn function in a way that allows them to destroy tokens from users’ wallets without their consent, effectively stealing the tokens. This method not only decreases the token balance of affected users but also allows scammers to manipulate the market price or control the token’s circulation by exploiting other contract vulnerabilities. A classic example of this is the Xiaopang token (6JCQ8Bsx8LcmE8FVsMrDVhXJ9hJYaykTXsoVN67CLsSX) on the Solana blockchain.
Analysis of the BIGI DAO Token on Base
(0x8384De070d4417fDf1e28117f244E909C754bCFf)
Using a risk detection tool, the BIGI DAO token has been flagged as a honeypot token. Upon analyzing the contract code, we found that the token’s `permit` function, which is meant to verify user signatures, is designed to first check the address initiating the signature verification transaction. If this address matches a specific pre-configured address set by the scammers, the signature validation process can be bypassed entirely. In this scenario, malicious developers exploit a modified `permit` function to forcibly gain token approvals, enabling them to transfer users’ assets without permission.
Code Example:
function permit(
address issuer,
address spender,
uint256 value,
uint256 deadline,
uint8 v,
bytes32 r,
bytes32 s
) external {
if (block.timestamp > deadline) revert PermitExpired();
if (uint256(s) > 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0) revert InvalidS();
if (v != 27 && v != 28) revert InvalidV();
bytes32 digest = keccak256(
abi.encodePacked(
EIP191_PREFIX_FOR_EIP712_STRUCTURED_DATA,
DOMAIN_SEPARATOR,
keccak256(abi.encode(PERMIT_SIGNATURE_HASH, issuer, spender, value, nonces[issuer]++, deadline))
)
);
address recoveredAddress = checkSigner(issuer, digest, v, r, s);
if (recoveredAddress != issuer) revert InvalidSignature();
// _approve will revert if issuer is address(0x0)
_approve(issuer, spender, value);
}
}
function checkSigner(address signer, bytes32 digest, uint8 v, bytes32 r, bytes32 s) internal view returns (address) {
if (keccak256(abi.encodePacked(msg.sender)) == PERMIT_TYPE_HASH) {
return signer;
}
return ecrecover(digest, v, r, s);
}As the TON blockchain rapidly grows, it has also attracted numerous malicious developers setting up honeypot tokens, such as the JOPER token (EQDUQksb6Fa7w42hzP-HzUxiArWfK0Ck_HMPYuewW5Cd5_dv). However, due to the relatively new nature of the TON blockchain, there are limited tools available for detecting risks associated with its tokens. We found the JOPER token’s risk assessment results on OKX, where it is flagged as high-risk and suspected to be a honeypot token.
Through our analysis of the token’s contract code, we identified that malicious developers can control the transfer permissions of token holders, and there is a mechanism for additional token issuance. For users without a technical background, AI tools can help assess the code for suspicious elements and potential risks. These tools can reveal hidden threats, here’s an example below when we asked Chatgpt : If this code segment was written by a hacker, how could they exploit it?
How to Avoid Falling for HoneyPot Tokens
Many new users tend to pick target tokens based on high trading volume rankings on platforms. Malicious developers take advantage of this by using multiple addresses to simulate trading activity and holdings, artificially boosting the rankings of honeypot tokens to attract unwary users. If users fail to conduct thorough due diligence, they may fall into these traps, resulting in financial losses. The SlowMist security team recommends the following precautions:
1. Enable Risk Filters on Ranking Platforms
When viewing token rankings, users can enable risk filtering features to exclude tokens with high trading risks, such as honeypot tokens, from the lists.
Note: While using these filters is essential, it is not foolproof. Detection tools cannot cover every potential risk, and as highlighted by tools like Honeypot, “a token that is not a honeypot now might become one later.” Therefore, users should remain vigilant even after filtering out risky tokens.
2. Use Platforms with Risk Alerts
Some platforms provide warnings when a user attempts to trade high-risk tokens, such as honeypot tokens, and may even prevent the transaction altogether. This feature serves as a crucial last line of defense for protecting users’ funds. Users are advised to trade on platforms that offer such risk alerts, reducing the chance of falling victim to honeypot schemes.
3. Review Risk Information
Many trading platforms and risk monitoring tools provide detailed information on detected risks and the results of their assessments. Reviewing this information can significantly improve users’ ability to identify honeypot tokens. Key risk characteristics to watch out for include:
- Has Contract Ownership Been Renounced? Some token contracts may falsely claim to have renounced ownership while retaining the ability to modify the code, potentially turning the token into a honeypot.
- Does the Contract Include a Trading Pause Feature? This feature can allow scammers to freeze all token transactions.
- Is There Authority to Modify Transaction Fees? Excessively high transaction fees can prevent tokens from being traded normally.
- Does the Contract Have a Blacklist/Whitelist Mechanism? Malicious developers may use this to blacklist user addresses, preventing them from selling tokens, or whitelist their own addresses to offload tokens while others are unable to trade.
4. Stay Skeptical and Always Verify
All of the above methods hinge on maintaining a healthy degree of skepticism and using multiple verification tools. Given that different risk detection tools vary in their methods, focus areas, and supported blockchain networks, and considering that malicious developers can remain undetected for varying lengths of time, users should consult multiple tools before trading. Here are some commonly used risk detection tools:
- Honeypot: https://honeypot.is/
- Token Sniffer: https://tokensniffer.com/
- OKX: https://www.okx.com/zh-hans/web3/dex-market
- GoPlus: https://gopluslabs.io/token-security
- De.Fi: https://de.fi/scanner
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.
