Many users in the Defi space lost a lot of money because they have fallen victim to exploits used within Smart Contracts. Anyone with enough technical knowledge and enough BNB to pay can launch a smart contract project. Unfortunately, many malicious smart contracts are created all the time.
Thankfully, BscScan is an excellent tool to identify many of these scammers. This blog will give examples of both good and malicious contracts.
Good Contract Example
- Go to BscScan
- Input contract address in the search bar, if you are not sure about the contract address, go to https://coinmarketcap.com/ first
- Go to the token page. You can see the trusted contract has all the information about the official site and social profiles
- Then search the contract address on BscScan
Below is an example of the Token page for TWT:
Here is the contact page of TWT below
Click on the “Contract” Tab to view more details
You can see that TWT is verified and the contract has 8 standard functions
Malicious Contract Example
There are a few red flags that are common in scam contracts, and these will be outlined below. Now that we know how to access and look at the contract functions, we can determine which are potentially malicious. There will not be any contract addresses shared in the examples because someone might just buy it anyways.
Red Flags
- No Verification
If a contract is not verified, then there is no way for a third party to prove it’s a good one. It’s likely to be a scam. In the Wine Swap Exit Scam, their contract was never verified.
2. Allow DELEGATECALL
The `delegatecall()` function calls functions from other contracts as if they belong to the caller contract. Thus the callee may change the state of the calling address. The technical details are discussed here. This may be insecure. An example below shows how using `delegatecall()` can lead to the destruction of the contract and loss of `multi.financial` incident.
Another example is some upgradable proxy BEP20 tokens. Token admin can change the logic anytime.
Disclaimer: Some tokens have implemented a proxy pattern to allow future upgrades. It is important to check if the token issuer is a trusted entity.
3. Unbelievable Return
4. Malicious Public Function
In this contract https://bscscan.com/address/0x584527ded17aceb3dc617c40b04e8fe9afc57096#code It will give the Migrator Maximum allowance, which means you can lose all your funds.
5. An overwhelming large max supply, or, one address with an overwhelmingly large percentage of the supply. It’s common to see the address that deployed the contract has most of the supply, which is a large red flag.
6. Social Media accounts are disabled.
Closing Ideas
Overall, investing in Defi on Binance Smart Chain is of high risk. However, knowing the basics of how smart contracts work, and being able to recognize the red flags that signal a potential scam, can help reduce that risk. There is always a risk when trading on the blockchain, so doing enough investigations in smart contracts will prevent more losses, and will likely help your gains in the long run.