This time around, ‘Honeypot’ scammers targeted investors of a new altcoin project called EtherWrapped (YEAR). Initially, users were given YEAR token rewards based on ETH transactions during the previous year by the scammers. After that, the color changed.
How was the ‘honey trap’ created in the altcoin project?
In Ethereum, everything is managed by smart contracts running on the Ethereum Virtual Machine. Etherscan lets you view smart contracts for free. An organization must develop a new smart contract in the decentralized application language Solidity and deploy it to the Ethereum Virtual Machine to generate a new cryptocurrency. A contract is considered ‘unconfirmed’ when first loaded. When members of the Ethereum community request verification in this case, the smart contract is verified. After the agreement is approved, it is made public. This indicates that the smart contract code is ready for review.
Cybercriminals are now able to design seemingly innocent smart contracts with traps hidden in plain sight, as in a recent hack. These are immune to code reviews, as there are often no visible signals that the smart contract owner intends to take malicious action. In the case of altcoin project EtherWrapped’s YEAR token and smart contract, a Twitter user named cat5749 and others looked at the code for possible pitfalls. However, they found nothing that looked suspicious. They discovered a function called “_burnMechanism” that would fail when attempting to interact with the contract owner.
This did not trigger obvious red flags, but was crucial in determining how the attack took place. To crash a new altcoin project, ownership would have to be revoked. The owner of the contract withdrew ownership and transferred it to UniSwap V2, a decentralized exchange. This meant that only purchases from UniSwap V2 were allowed, but not sales to UniSwap V2. The smart contract holder would then be the sole seller, causing the price of the YEAR token to rise. FOMO made people want to buy when they saw the price increase.