Sniping honeypots on Ethereum
A new tool arrived to spot all the scam tokens.
TL;DR
If you’re reading this post because you want to check if a trending token is a potential honeypot or not you can use the following link.
A little bit of context
As the Ethereum community keeps growing and new people start to approach themselves in the “crypto world”, more and more honeypot tokens are being created to scam people out of their money.
What is exactly a “honeypot token”? As the name may suggest, it’s a token that acts as a “bait” (like a honeypot does for a bear) for newcomers, luring them in exchange for some easy profit: but as you can imagine, this is never the case.
If you’ve been around enough you certainly know that this is not a trend that started in the past few months, but nowadays it has a much bigger resonance because more people are and can be susceptible to this kind of scheme: the Squid Game Token scam was executed thanks to the huge appeal that it had on everyone, since almost everyone that has a Netflix subscription has seen the series.
Identifying honeypot tokens
You may ask: “how can I identify a honeypot token?”. Having some tech background is of course the obvious answer, but not everyone has the same knowledge but there are some red flags that can help you spot a honeypot token and avoid it.
- The token name/ecosystem follows a big trend — this is the case of the Squid Game Token: “everybody is talking about it, everybody has seen the series, we’re gonna make a token and scam the fools”. This is what the creators thought and executed. At least this is what I like to imagine.
- You’ve been gifted some — if you’ve ever seen in your wallet some random token (that most of the time mimicks the name of a more famous one) that was sent by an address that keeps minting them to random addresses (or addresses taken by the latest Uniswap transactions, or whatever), then there’s a pretty high chance that this token is a scam: do not buy those in any exchange.
- Smart Contract code is fishy or is not public — this is for someone that knows a bit of Solidity (the programming language used to write Ethereum Smart Contracts): if you can’t find any open source code (either on Github or on Etherscan) or the code that you are able to find looks strange in the transfer/approve functions or it has some weird blacklist/whitelist mechanism that triggers on some obfuscated condition, then you should avoid it.
- You can’t sell them — this is the most obvious red flag, but it’s also the worse one: if you try to sell a token that you previously bought and the transaction always fails, then you got scammed.
Sniping honeypot tokens
Even if you should always (and I really mean always) check for those red flags, I can understand that in a rush you may ignore some ringing bell in your head for the money cause: this is where I would like to come and rescue you.
I’ve developed a web-based open source tool that searches for the token you want to buy (by its address), instantiates an in-memory Blockchain using Ganache (an Ethereum development tool) that forks the current state of the Ethereum Mainnet, buys the token from its Uniswap/Sushiswap pool and tries to sell it back.
By using the most obvious red flag of all, that is the check if the token is sellable or not, we can check if the address provided is a honeypot ERC20 or not. But keep in mind, this method is not foolproof: a ERC20 can be carefully crafted to become a honeypot in a later moment, thus even if the token currently may be bought/sold easily on Uniswap and Sushiswap, it could not be the case in the future.
Soon I’ll be developing a browser extension that will simplify the process for you, not needing to open the website to check for a token before buying it; or even it could check the output token that you chose in Uniswap/Sushiswap and automatically search it for you, raising a notification in case the token has been marked as a scam from other users or if it’s not sellable after it has been bought.
If you want to contribute or if you have any ideas on how we could make this tool better and more efficient, please feel free to contact me or open a PR on Github: let’s snipe ’em all! 🔫
