Airdrops Deployed to Scam Unsuspecting Users

Scammers carried out a honeypot scam using $YEAR token airdrops in a relatively easy to execute scam.

Honeypot Scam

Buyer of the token $YEAR learned a painful lesson after what they mistook as a money making opportunity turns out to be a rugpull. $YEAR token that was airdropped to users based on their Ethereum transactions throughout the previous year turns out to be part of a honeypot scam.cdn.embedly.com/widgets/media.html?type=text%2Fhtml&key=96f1f04c5f4143bcb0f2e68c87d65feb&schema=twitter&url=https%3A//twitter.com/cat5749/status/1476813266462539779&image=https%3A//abs.twimg.com/errors/logo46x38.png

The scam was carried out in less than six hours through a website called EtherWrapped that connects to a MetaMask wallet. Eligible Ethereum users will receive $YEAR tokens from the project by 0230 UTC. This airdrop was promoted through a now deleted Twitter account of the fake project.  

Source: The fake EtherWrapped project ‘rewards’ eligible Ethereum users for their on-chain activities with $YEAR tokens

This scam caught its unsuspecting victims because of the hype surrounding airdrops. It came after two legitimate airdrops, OpenDAO ($SOS) and GasDAO ($GAS) were successfully launched. 

How the Scam Works

Source: A honeypot scam works with the scammer placing a bait to lure unsuspecting victims

In a nutshell, a honeypot scam works in the following order: –

1. The attacker deploys a seemingly vulnerable contract and places a bait in the form of funds.

2. The victim attempts to exploit the flaw by placing the required amount of funds but is unable to exploit the contract.

3. The attacker withdraws the bait and the funds deposited by the victim that tried to exploit the contract.

In the case of the $YEAR token, the creator of the contract called the ‘revokeOwnership’ function and made the decentralized exchange Uniswap V2 its new owner. This effectively locked everyone out and the contract evolved into a ‘honeypot’ where it is only possible to make purchases but no sales. This resulted in the token’s price skyrocketing creating more panic buys. 

Source: This site will simulate a buy and sell transaction to determine if a token is a honeypot

Approximately more than 30 $ETHs were drained out in several transactions. In this case, the attacker hides their exploits in plain sight by masquerading as what looks like a novice coding mistake.  

Caution First

In this space, scams will only get more elaborate over time. Therefore, post mortems of malicious operations must be publicly disseminated. It is no longer the case that the early bird gets the worm. A few precautions can be exercised to avoid falling victim such as: –

1. Every project must disclose their team members.

2. The team members must have good credentials. 

3. Smart contract audits are no longer a luxury, it is necessary. 

4. Unknown projects without proper disclosure of its backers must be avoided at all costs.

5. Responsible projects respond to inquiries and criticism 

The crypto market is littered with opportunities. It is alright to miss out on an opportunity rather than to be scammed. Risk management is key. 

Source: BSC News

Leave a Reply

Your email address will not be published. Required fields are marked *