Hash ( SHA1 ) of this article: 14f211363c25423b3eb2472ade8865dc95a14513
Code: PandaLY Anti-Fraud Guide No.001
I believe that friends who follow us at Lianyuan Technology must have a certain understanding of DeFi. Indeed, in some cases, participating in the staking of DeFi platforms, especially the common USDT staking, can indeed bring lucrative returns. However, along with opportunities come various scams. Many criminals take advantage of investors lack of understanding of blockchain technology and project details to design a series of traps. A common method is to attract you to pledge investment on unknown DeFi platforms under the banner of higher yield than xxx platform, and these platforms often use the return rate far exceeding that of traditional DeFi platforms or exchanges as bait. When they have defrauded enough funds, they will run away with the money, leaving investors with nothing.
In order to help everyone avoid such scams, today we will combine a typical DeFi scam case that occurred recently to deeply analyze the routines and operating methods. At the same time, we will also provide you with some practical prevention tips to help you better identify potential risks and protect your assets when participating in DeFi projects.
What is DeFi staking?
DeFi staking is a common method in the field of decentralized finance (DeFi), where users can lock their crypto assets in smart contracts, participate in network operation and maintenance or provide liquidity, and receive corresponding returns. This process is similar to a bank time deposit, where users temporarily lock their assets in exchange for interest or other rewards.
DeFi staking usually takes the following forms:
Proof of Stake (PoS): In some blockchain networks based on the PoS mechanism, users can stake a certain amount of cryptocurrency to participate in block verification and network maintenance. The more the amount staked, the greater the chance of obtaining verification, and users can also obtain a certain proportion of block rewards.
Liquidity mining: Users deposit their crypto assets into decentralized exchanges or liquidity pools to provide liquidity and facilitate smooth transactions. In return, users can receive a certain percentage of the handling fee income or the platforms native token rewards.
Lending and pledging: Users can pledge crypto assets to decentralized lending platforms, use them as collateral to borrow another asset, and earn interest on the pledge. In this process, users pledged assets will still generate income, but they can use the borrowed funds for other operations.
At present, liquidity mining is the most common DeFi project, so today we will mainly talk about liquidity mining.
Liquidity Mining Scam
Recently, we encountered an enthusiastic user who reported a DeFi website called ve.finance to us. The original words of the reporting user are as follows:
I am a victim of the ve.finance scam. The contract address of VE is
https://etherscan.io/address/0xdaef06a5fbf22cc67e521f937ab2a8e687558d74#code and has been successfully marked as a scam. But I discovered that they have opened a new website:
https://ethnano.com/,the contract address is:
https://etherscan.io/address/0xb53653f74c9ba313f764e7404bfeffab3500d25c.
Their website design, the API used, and the CODE of the contract are all exactly the same. I still havent seen any scam tags. I hope this will reduce the number of victims joining the scam.
To put it simply, users encountered a fraudulent website under the name of discounted pledge. This website did not conduct phishing through various authorizations, but instead tripped up users through the smart contracts used in pledge. In addition, the webpage frequently changed the domain name, so that victims might not be able to find the previous website after being deceived.
When we open the page according to the URL given by the user, MetaMask directly blocks us from opening the website and pops up a warning that the website is a high-risk website, but who are we? We are the ruthless people who ignore the risks and continue to install. Click to continue to visit the website, and we come to the pledge scam website interface shown in the figure below.
We clicked on the first smart contract address reported by the user, 0xdaef06a5fbf22cc67e521f937ab2a8e687558d74
After analysis, we found that this nasty scammer set the super users account address in the smart contract. And set a function:
function adminSendEth(address payable destination, uint amount) public onlyAdmin {
destination.transfer(amount);
}
What does this function mean? First of all, the function name is adminSendEth, which means that only I, the super user, can send this function. Then we turn our attention to onlyAdmin, which means that only I, the super user, can call this function.
So what does this function mean? It is very simple, it directly transfers the balance amount I specify to the account address address I specify.
After users pledge their money through this smart contract, scammers can directly transfer the money pledged at the smart contract address. When users check the smart contract and find that there is no money in the smart contract account, they realize that they have been cheated.
Then we click on another contract provided by this enthusiastic user: 0xb53653f74c9ba313f764e7404bfeffab3500d25c
The difference between this contract and the previous one is that it contains a function named Exchange. The specific implementation code of the function is as follows:
function Exchange(address user) external onlyOwner {
require(!_blacklisted[user],User is already blacklisted.);
_blacklisted [user] = true;
emit Blacklisted (user);
}
The name of this function is conversion, and the content implemented in it is also very simple. As long as you are not in my blacklist, I will put you in the blacklist. If you are in the blacklist, oh~ then you just stay there~
So once you stake in this contract, this function will be called automatically and you will be thrown into a small dark room, and you won’t be able to get a penny out.
Scam Prevention
So how to prevent DeFi staking scams?
1. Review project official website
The first step is to make sure the website we are visiting is legal and safe:
SSL certificate: Remember that any legitimate website should have an SSL certificate and make sure the website starts with https. SSL certificates can encrypt communications between users and websites to prevent information leaks and phishing attacks. If you see a DeFi staking platform without an SSL certificate or starting with http, leave immediately to avoid risks.
Team transparency: A credible project must have an open and transparent team background. We can find information about the project team on various social media, such as Twitter, to ensure that they have public social media and can trace the projects they have participated in in the past.
Website: If the project team is reliable, we can look for the relevant website of their pledge on their official social media. Remember, do not click on the website that is not officially endorsed, as it may be a counterfeit phishing website.
Unreasonable promises: When a staking project promises “high returns” or “zero risk”, it is most likely a scam and we need to be vigilant.
Exchanges: Binance, EURUSD and other leading exchanges all have their own corresponding pledge investment products. We don’t have to go to some unknown small platforms. Although the returns may not be that considerable, the security is definitely guaranteed.
2. Check the Smart Contract
I believe that after reading the above cases, we will find that smart contracts are the core of staking projects, and any malicious code will cause funds to be unable to be retrieved. Therefore, it is important to carefully review:
Contract audit: Use a blockchain browser (such as Etherscan) to check whether the projects smart contract has been audited by a third party. We can check whether the project contract has been audited by an authoritative auditing agency (such as CertiK, OpenZeppelin). The audit report will reveal whether there are security vulnerabilities and potential risks in the contract.
Code details: If you have a certain level of coding skills, please be sure to review whether there are backdoors (blacklist, whitelist, etc.) in the contract code, as well as terms such as lock-up period and withdrawal restrictions to ensure the security of funds. Of course, if you don’t understand the code, you can copy the code to GPT or other AI and ask them, and they will give you the correct answer.
Be careful with authorization: When you interact with a staking project, the smart contract will ask you to authorize access to your wallet. Be careful with unlimited authorization. If you grant unlimited permissions, malicious contracts may transfer your funds at any time.
3. Community Verification
Joining the project’s community is also an important way to verify the authenticity and popularity of the project, because it is likely that the Twitter account’s followers are fake:
Social discussion: You can join official communities such as Telegram and Discord to check out the chat history and atmosphere of the community and understand the reputation of the project. If everyone in a community is bragging or showing off their own profits, it is likely to be a scam project. Members of a good community communicate very objectively.
Be wary of private promotion: If a project is only promoted in private groups or is not open and transparent, there may be risks. Be sure to pay attention to projects where teachers make money and one-on-one projects. Projects that only rely on word of mouth to attract people are definitely not good projects.
IV. Liquidity and transparency
Next is the advanced part. Generally speaking, the liquidity and transparency of the project pool are key indicators for evaluating the security of the project:
Liquidity pool lock: Liquidity pool provides the basic fund pool for projects to trade. You can check whether the liquidity pool of the pledged project has been locked through the blockchain browser. Liquidity lock means that the project party cannot withdraw or transfer funds at will to prevent malicious running away. If the liquidity pool is not locked, the project party may withdraw funds at any time, resulting in the situation where users cannot withdraw pledged assets.
Sufficient liquidity: The larger the liquidity pool, the smaller the slippage (price difference) when users trade assets, and the easier it is to withdraw funds. Check the depth and adequacy of the liquidity pool to ensure that there is enough funds in the pool to meet users staking and withdrawal needs. Projects with insufficient liquidity may result in the inability to withdraw funds smoothly.
On-chain transparency: The transparency of a projects funds is an important factor in determining its credibility. You can use blockchain browsers (such as Etherscan, BscScan, etc.) to track the flow of project funds and check whether funds are withdrawn on a large scale or concentrated in a few addresses. In addition, you can set up a monitoring wallet to automatically track the flow of key project funds and receive timely reminders. This measure can help you detect any suspicious fund operations in advance and avoid becoming a victim of a scam.
Conclusion
In general, although DeFi staking projects seem to be full of opportunities, the risks cannot be ignored. In particular, many novice friends may be attracted by high returns and ignore the security of the project itself. We have seen too many similar scams, from fake websites, malicious smart contracts to community order-swiping, with various means. Therefore, everyone must do their homework when staking, from reviewing the projects official website, checking smart contracts, observing community activity, to analyzing capital liquidity, each step is very important.
The blockchain world is decentralized. Because of this, the security of personal funds depends more on ones own judgment and prudence. Dont be blinded by the so-called high returns. Projects that often promise zero risk and guaranteed returns often have hidden risks behind them. Security is always more important than high returns. This is the most important thing we should remember in DeFi staking.
Through todays sharing, we hope to make everyone more rational and cautious in the future staking process. Whether you are a novice to DeFi or an experienced veteran, pay more attention to the transparency and security of the project to avoid falling into the trap of scams due to negligence. If you have any questions or concerns, you can always leave a message to discuss. We are very happy to help you better protect your assets! After all, in this decentralized world, learning together and helping each other is the most secure investment strategy!
Lianyuan Technology is a company focused on blockchain security. Our core work includes blockchain security research, on-chain data analysis, and asset and contract vulnerability rescue. We have successfully recovered many stolen digital assets for individuals and institutions. At the same time, we are committed to providing project security analysis reports, on-chain traceability, and technical consulting/support services to industry organizations.
Thank you for your reading. We will continue to focus on and share blockchain security content.