Malicious Smart Contracts: A Scam by Any Other Name….
In the mid 1990s, I received a heartfelt e-mail from Nigeria. It was from an emissary for a prince in dire need of assistance recovering a small fortune. For my assistance, of course, I would be compensated handsomely. I recognized the scam immediately, but it was the first time I’d seen an electronic version.
I responded with outrageous requests, we went back and forth a few times, and then he realized I was stringing him along. My ancestry was insulted in an impressively creative manner, and that was that. It was my introduction to “phishing,” and it left me somewhere between amused and disappointed by humanity.
Times have gotten worse. The “Nigerian Prince” scam isn’t new; a “snail-mail” version of it has been around since at least the Spanish-American War in the late 19th century, and it still rakes in hundreds of thousands of dollars a year. Most scams, either analog or digital, involve preying on human psychology as much as any tech.
Malicious smart contracts, however, are equally predatory, and rely as much on obfuscation as psychology. One or two clicks and a few keystrokes can lead you into something that looks and feels right but isn’t. And before you know what’s occurred, your money is gone.
“You really have to be careful today,” says MacguyverTech CEO Steve (Mac) McKeon. “Aside from outright scams, there are people who forge an entire existence out of figuring out how to get into your digital wallet and drain it. It’s unfortunate, but you really can’t trust anyone. The anonymity of a digital existence seems to remove good conscience and fear of repercussions.”
There are examples of poorly-designed smart contracts that are vulnerable to attacks, but those aren’t intentionally malicious. Malicious smart contracts are intentionally designed to have vulnerabilities in them that are eventually exploited by (surprise!) the person who designed the contract.
“Again, it’s a matter of being careful,” McKeon continued. “Crypto exchanges are being spoofed now, and people are receiving e-mails from what they think are familiar exchanges, but aren’t. They’re asked to move funds, and once they do, the funds are gone in an instant. The Squid Coin is another example — there was nothing in the smart contract to stop the developers from draining the liquidity pool and running off with millions of dollars, and that’s exactly what they did.”
Some of the examples are a bit more obvious; the Squid Coin had signs of being a scam from the beginning. “Keep an eye out for rampant misspellings, not only on the website and whitepaper, but also in code,” said McKeon. “Some of the scammers are highly sophisticated, but some of them are still relying on people to not do their due diligence.”
Regarding the more sophisticated scams: “Make sure you thoroughly examine anything involving your wallet,” he said. “Smart contracts aren’t going to wave their hand in the air and say, ‘Hi! I’m malicious! I’m promising easy money as a crypto bot, but if you enter into an agreement with me, and fund me with crypto, I’m going to disappear instantly!’ They’re going to look perfectly normal unless you examine their code.”
As we at MacguyverTech like to say, use your head, don’t risk anything you can’t afford to lose, and be careful out there. Malicious smart contracts can drain your digital wallet far, far faster than a faux Nigerian Prince if you’re not careful, and they more than likely won’t be programmed with entertaining jokes about your family tree at the end.
For more articles like this, visit the MacguyverTech blog page.
For more information about blockchain, smart contracts, and cybersecurity, visit the MacguyverTech home page.