Investors in a new cryptocurrency called $ YEAR have been the subject of a honeypot scam, as tweeted by @ cat5749. Essentially, a token maker was using a website called EtherWrapped which connected to a Metamask wallet. The individual or group of individuals awarded token rewards of $ YEAR to users based on their ETH transactions during the previous year.
Everything on Ethereum is handled via smart contracts which run on the Ethereum Virtual Machine. Smart contracts can be freely viewed using Etherscan. To create a new token, an entity must create a new smart contract in a decentralized application language called Solidity and deploy it to the Ethereum Virtual Machine. Initially, when the contract is uploaded, it is an “unverified” contract.
In the case of this scam, the smart contract was verified when members of the Ethereum community requested verification. By verification, the contract became public. This means that the smart contract code was open for review.
Hidden in plain sight
A newer exploit is for malicious entities to create seemingly benign smart contracts, with traps hidden in plain sight. These are impervious to code inspections, as there are often no obvious signs that the smart contract owner wishes to engage in malicious activity. In the case of the $YEAR token and smart contract, a Twitter user named @cat5749 and others examined that smart contract for apparent traps in the code. They couldn’t find anything that looked suspicious. They came across a function called “_burnMechanism” which would fail if contact was attempted with the contract owner. This didn’t raise any obvious red flags, but would prove instrumental in diagnosing how the attack happened.
Revoke ownership to crash a new part
The owner revoked ownership of the contract and made its new owner the decentralized exchange, UniSwap V2. This meant that only purchases could be made from UniSwap V2, but nothing could be sold to UniSwap V2. The owner of the smart contract would then become the sole seller, leading to an increase in the price of the $ YEAR token. As users saw the price increase, FOMO made them want to buy.
When a new token is created, the creator must develop a way for users to buy and sell the token. This sometimes means that the creator will place a valuable token such as ETH and their new token in a trading pool. Buyers of the new token will need to supply the valuable token to get the new token. What can happen is that the creator can pull out his original valuable token plus the new token. Due to the way automated market makers work, this will remove more of the valuable token than the worthless token.
The creator then withdrew cash from UniSwap V2, including over 30 ETH, and crashed the new token, leaving investors very unhappy.
