Scamming in Ethereum is easy

How to avoid falling for simple Ethereum scams

Oldest trick in the book

Intro

Ethereum is in the earliest stages of usability at the moment. Transaction costs are high, the network is subject to DDOS by kitty cats, and most tools have abysmal UIs. One of the biggest risks to the future of the protocol however, is the ease of pulling off scams.

One of the great selling points of cryptocurrency is the ability to send money or participate in provably enforceable contracts without centralized middlemen. In order to achieve this, transactions must be permanent and non-reversible. Once you send money to a person, even if it was a mistake, you cannot get it back. There is no credit card company to do a chargeback on, no 1-800 number to call and complain to.

There are a million easy ways for bad actors to perform scams, but I’m going to focus on a specific type of scam in Ethereum.

The Setup

When you interact with a Smart Contract in Ethereum, you are calling a function contained inside of that contract, and optionally sending money to that function. (if it is “payable”).

Generally, the way you will do this is by visiting a website called a dApp(distributed app), which is also built by the contract developers. You use this website, and something like Metamask to interact with the smart contract deployed on the blockchain.

Screenshot from eth.rip : a dApp for burning ETH while writing a message to the blockchain

Blindly signing transactions which a dApp presents you with is an easy way to lose a lot of money. Not only can copycat or phishing websites be easily setup, but “legitimate Ethereum companies” can also just be a fancy marketing site with the intention to steal funds.

Simple Scam

As you can see in the above screenshot, when interacting with a dApp, Metamask will show you a few transaction details and ask you to ok them by submitting. A few things you should do every time you submit a transaction is to triple check the amount and the destination account. One of the easiest tricks in the book is to tell a person they are sending money to the real™ CryptoGiraffes website, and then just simply change the destination address to be their own personal scam account. You should check this every time you sign a transaction, never blindly sign transactions, ever.

Scam 2: Github links don’t prove anything

A more involved, but still extremely easy way to scam a person is to post links to Github claiming that the source code at the contract address is the same which is in this open source repo. Do not simply trust a code snippet or github repo as being proof that the given code is deployed at the actual contract address.

I’ve seen people fail to check the actual smart contract’s code a countless number of times when vetting or auditing a companies smart contract code. There is absolutely no guarantee that the code posted to Github is the actual code deployed onto the blockchain.

Luckily, there is a way to verify what code is actually deployed.

How code verification on Etherscan works

When smart contract code is deployed to the blockchain, the developers compile the high level, human readable language (Solidity, Vyper etc) to EVM (Ethereum Virtual Machine) code. This makes it extremely hard for a person to decipher what is actually going on.

EVM instructions: Good luck auditing my smart contract

However, there is still a way for the developer to prove that the Solidity source code they post actually is deployed at the given Ethereum address. Quite simply, the developer provides the code they are claiming produced the given EVM code, and you can verify this by actually compiling the source code, and making sure it produces the same EVM code which was deployed. Etherscan makes this easy for developers to do, and for consumers to verify. (Bonus points if you are extra paranoid to compile it yourself on your own machine)

Etherescan’s interface for showing “Exact Match” for the uploaded code.

When you are interacting with Ethereum smart contracts, demand that developers provide the actual source code and make sure the source code provided matches the deployed EVM code. This is extremely easy for developers to do, and there is no excuse against doing it.

Why this may not be enough

So, we now know to make sure we are verifying the amount, destination address, AND the actual source code at the destination before signing transactions to the blockchain. However, this is not quite enough to be fully sure you know what is going to happen.

In the above example of my site http://eth.rip, I have only one payable function which can be called, namely “burn()”. However, if I wanted to be cheeky, I could easily add another payable function to the smart contract called “stealYourMoney()” which takes the money you send in, and instead of locking it up permanently (burning it), I allow myself to withdraw it.

If you are crafting your own transactions with a client such as Geth, you can make sure you are calling the correct function. However 99% of consumers of Ethereum use something like Metamask in their browser. Right now Metamask has a critical flaw in how it informs users about their transaction details.

100 bytes of scam city

Metamask only tells you how many bytes the transaction is! It doesn’t tell you whether you are calling “burn()” or “thanksForYourMoneyIdiot()”. This doesn’t seem like a huge issue in the case where there is an obviously scammy function in a short contract. But imagine a smart contract with thousands of lines of code, and subtly hidden in them is a nefarious function. Knowing that you are not calling this is critical, and yet at the moment there is no way for the user to verify which function they are calling with Metamask.

Metamask needs to get this done ASAP

Luckily Metamask has an open issue which looks like they are trying to resolve this issue: https://github.com/MetaMask/metamask-extension/issues/2847

I know that Metamask is a new product, but it is quite striking how many transactions have been blindly sent off without verifying even which function is being called. The entire point of blockchains is allow us to build trustless systems, and to root out single points of failure such as centralized services and middlemen.

Although I’ve pointed out many issues we currently have in the blockchain world, I’m optimistic about the future we are building, so much so that I’m all in. To achieve this decentralized future, we need to make sure that we are skeptical and always questioning. When organizations tell us “Trust us”, we have the right to say “Code or GTFO”.

Go burn some ETH (On Ropsten Test Net at the moment)

As referenced in this article, I built a dApp where you can provably burn your ETH while attaching an immortal message. This is a great example of a claim that needs to set off people’s BS meter! Go check it out yourself, and verify the code actually does what I say it does:

http://www.eth.rip