search

ethereum / ethereum-org-website

Ethereum.org is a primary online resource for the Ethereum community.
https://ethereum.org/
MIT License
5.04k stars 4.78k forks source link

Suggest a tutorial: Some tricks used by scam tokens and how to detect them #10117

Closed qbzzt closed 1 year ago

qbzzt commented 1 year ago

Tutorial title

Some tricks used by scam tokens and how to detect them

Tutorial description

In this tutorial we dissect a scam token to see some of the tricks that scammers play and how they implement them. By the end of the tutorial the reader will have a more comprehensive view of ERC-20 token contracts, their capabilities, and why skepticism is necessary

Tutorial tags

scam solidity erc-20

Skill level

Intermediate

Hosted on ethereum.org or hosted elsewhere?

Hosted on ethereum.org

For tutorials to be hosted on Ethereum.org: Tutorial Content

  1. Scam tokens - what are they, why do people do them, and how to avoid them. 1.1. How do I know wARB is a scam? Why is the source code available?
  2. Comparison to legitimate ERC-20 tokens (with link here). 2.1. Lack of proxy (not dispositive, just missing common practice) 2.2. Constants for privileged addresses 2.3. Splitting the mint and the mount function 2.4. The fake _transfer function 2.5. The real _f_ function 2.6. The fake events function dropNewTokens 2.7. Why both auth and approver? Why the mod that does nothing? 2.8. The burning Approve function.
  3. What can we detect automatically? 3.1. Weird transfers 3.2. Events that don't make sense together
  4. Conclusions 4.1. Always get the token address from a trusted source 4.2. Code quality and readability matter

For tutorials hosted elsewhere: URL to tutorial

No response

Would you like to work on this issue?

qbzzt commented 1 year ago

This article would link to https://github.com/ethereum/ethereum-org-website/pull/10115, which explains it at the end user level.

qbzzt commented 1 year ago

@konopkja : I am unsure if tutorials is a good place for this or if this is a good idea in general, would like others to give their opinion. @minimalsm @wackerow @corwintines

qbzzt: I've written multiple tutorials that were annotated source code (https://ethereum.org/en/developers/tutorials/uniswap-v2-annotated-code/, https://ethereum.org/en/developers/tutorials/optimism-std-bridge-annotated-code/) and were very well received, so I think annotated source code is a good way to provide training for medium-skilled level people (they know how to write Solidity, but not what to write and why).

You can argue that teaching people how to scam is a bad idea, but scammer already know these techniques. They are especially motivated to learn them. The people this article will reach are likely to be those that need to write code that deals with potential scams.

konopkja commented 1 year ago

good point, if this is written in the style of prevention I am onboard with the idea.

qbzzt commented 1 year ago

So "some tricks that scammers use and how we can detect them"? That would be a good article to write. I updated the proposal.

wackerow commented 1 year ago

In support of this... The existing in-depth contract write-ups you've written have indeed been well-received... @qbzzt I think the outline you provided sounds like a great direction to go, and you should use your judgement. I don't doubt you will, but just encouraging use of language that is strictly educational and for the safety of users with this topic. Obviously by no means are we trying to teach scammers, but instead arm users with the tools and knowledge to stay safe. Look forward to reading it!

konopkja commented 1 year ago

@corwintines @minimalsm pls give your perspective as well

qbzzt commented 1 year ago

Can you tell me if this is approved and I can start working on it?

qbzzt commented 1 year ago

@corwintines @minimalsm, should I start working on this tutorial?

corwintines commented 1 year ago

I am onboard for this as well.

wackerow commented 1 year ago

Hey @qbzzt! Sorry for delays on response, but would certainly appreciate this tutorial (keeping mindful of the tone we set as noted in my comment above). Personally really enjoyed the beginner guide you published, and think this would make a great follow up. Will support you working on this at your leisure! 🙏

qbzzt commented 1 year ago

Sorry for the delay. I'll work on this, but right now I need to change a whole bunch of tests that have :yul to use the correct fork so they won't compile with PUSH0 for a fork that predates it.

qbzzt commented 1 year ago

It looks like the detection tricks I thought I came up with don't work :-( . They'd work if certain functions of the scam token were called, but looking at the actual events, it looks like they haven't been.

I'll try to figure a different way to achieve detection.

qbzzt commented 1 year ago

PR merged into dev, I think this issue has done its job.