Saved in:
Bibliographic Details
Main Authors: Huynh, Phuong Duy, De Silva, Thisal, Dau, Son Hoang, Li, Xiaodong, Gondal, Iqbal, Viterbo, Emanuele
Format: Preprint
Published: 2023
Subjects:
Online Access:https://arxiv.org/abs/2309.04700
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917872814522368
author Huynh, Phuong Duy
De Silva, Thisal
Dau, Son Hoang
Li, Xiaodong
Gondal, Iqbal
Viterbo, Emanuele
author_facet Huynh, Phuong Duy
De Silva, Thisal
Dau, Son Hoang
Li, Xiaodong
Gondal, Iqbal
Viterbo, Emanuele
contents We investigate in this work a recently emerged type of scam ERC-20 token called Trapdoor, which has cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but preventing them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes, accompanied by a detailed analysis of representative scam contracts. In particular, we developed TrapdoorAnalyser, a fine-grained detection tool that generates and crosschecks the error-log of a buy-and-sell test and the list of embedded Trapdoor indicators from a contract-semantic check to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy, but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy even Trapdoor tokens with no available Solidity source codes.
format Preprint
id arxiv_https___arxiv_org_abs_2309_04700
institution arXiv
publishDate 2023
record_format arxiv
spellingShingle From Programming Bugs to Multimillion-Dollar Scams: An Analysis of Trapdoor Tokens on Uniswap
Huynh, Phuong Duy
De Silva, Thisal
Dau, Son Hoang
Li, Xiaodong
Gondal, Iqbal
Viterbo, Emanuele
Cryptography and Security
We investigate in this work a recently emerged type of scam ERC-20 token called Trapdoor, which has cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but preventing them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes, accompanied by a detailed analysis of representative scam contracts. In particular, we developed TrapdoorAnalyser, a fine-grained detection tool that generates and crosschecks the error-log of a buy-and-sell test and the list of embedded Trapdoor indicators from a contract-semantic check to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy, but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy even Trapdoor tokens with no available Solidity source codes.
title From Programming Bugs to Multimillion-Dollar Scams: An Analysis of Trapdoor Tokens on Uniswap
topic Cryptography and Security
url https://arxiv.org/abs/2309.04700