Honeypot attacks have increased sixfold in the past week, targeting newcomers to the decentralized world
The analysis of the new attack methods in honeypots indicates that with the intensification of asset issuance contract defense and offense, the attack methods are increasingly showing trends of complexity and dynamism.Author: GoPlus Security
Due to the impact of the FTX incident, a large number of users have recently transferred digital assets from centralized exchanges to decentralized wallets, resulting in a surge in on-chain active users, with the number of DEX users and trading volume reaching a six-month high.
At the same time, Honeypot attackers are also active. As of November 21, 2022, GoPlus Security has detected over 120 new attack methods in the past week, with the number of attacks increasing sixfold. This data indicates that while the number of on-chain users has recently grown, attackers have also become more active. New users entering the decentralized "dark forest" lack awareness of security and knowledge of attack methods in this unfamiliar environment, making them frequent targets for attackers.
GoPlus Security's analysis of new Honeypot attack methods shows that as the offense and defense of asset issuance contracts intensify, attack methods are increasingly becoming complex and dynamic. We have outlined several common attack methods:
Obfuscating Code
By reducing code readability, adding invalid logic or confusing call relationships, and implementing complex logic, the difficulty of analysis by security engines is increased.
Counterfeiting Well-Known Contracts
Attacking contracts are disguised as contracts from well-known projects by falsifying contract names and implementation processes, misleading engines and increasing the probability of misjudgment.
Concealed Triggering Methods
Trigger conditions are hidden within user trading behaviors, which are further complicated, often requiring several layers of conditional checks to trigger risk behaviors such as transaction interruption, additional issuance, or asset transfer, achieving the goal of real-time modification of contract states to steal user assets.
Falsifying Transaction Data
To make transactions appear more authentic, attackers may randomly trigger behaviors such as airdrops or wash trading, which can entice more users and make trading behaviors seem more natural.
Code Example
In this example, the attacker uses various methods to conceal their attack intentions, ultimately achieving two main goals:
Transaction Suspension
The lpTotalSupply returned on line 241 cannot decrease; otherwise, it fails the require check on line 245, achieving the goal of suspending the transaction.
_uniswapV2Pair is not necessarily the Uniswap Pair contract; it could also be another contract deployed by the project party that implements the totalSupply method. As long as the return value of this method is less than the value from the last transaction (modified by removeLiquidity or other means), the transaction can be suspended.
Issuing More Before Transferring
If the conditions on line 257 are met, where from is a specific address and amount is greater than totalSupply, it will create an additional balance for from that exceeds totalSupply, achieving the effect of issuing more before transferring.
GoPlus Security reminds users that Honeypot attacks often design preconditions, such as guiding users into traps through wallet airdrops, listing trading data on market websites, or spreading false information in communities, and impersonating well-known projects. Market panic, rampant misinformation, and distorted user operations can provide attackers with more opportunities. GoPlus Security will monitor attacker movements in real-time and provide timely reports on new attack methods.
GoPlus Security API provides real-time and accurate Honeypot identification. Users can utilize security detection features in products from GoPlus partners, accessing GoPlus's continuously updated security data to mitigate risks.
Decentralized Wallets:
TokenPocket--- Built-in token security detection and authorized contract security detection features.
ONTO Wallet--- Built-in token security detection feature.
HyperPay --- Built-in token security detection feature.
BitKeep--- Built-in token security detection feature.
Plugin Wallets:
Mask Network --- Can query security information for tokens and NFTs, and also has authorized contract security detection features.
Market Software:
AVE --- Can query security information for tokens.
ApeSpace --- Can query security information for tokens.
Browsers:
GoPlusEco --- Can directly input security-related questions to search for solutions.
