Author

Topic: Can scammers steal money using smart contracts? (Read 341 times)

sr. member
Activity: 924
Merit: 365
December 31, 2021, 02:38:54 PM
#24
To stay safe, don't click on any link sent to you asking you to connect your wallet without verifying the source. If you have to indulge in it, you shouldn't make use of the smart contract that has much of your funds in it. It will be okay to create a new smart contract. If it should be hacked finally, let it be a smart contract that has no funds in it.
Let's all stay safe. No site is to be trusted without verifying it first
legendary
Activity: 3472
Merit: 10611
I wouldn't say it's almost pointless because I'm pretty sure they do help a lot, but then again, no one should be basing their decisions if they should use a smart contract or not based on audits. Just like how having good engineers and architects make a building structure better, but not 100% earthquake proof.
It is pointless in my opinion because of high possibility of corruption. It is the nature of all centralized entities to have corruption and when it comes to a service that can have such a power on a market and values the chance of corruption is high.
Basically it is the same scam called "ICO reviewers" that we had in 2017. They get paid to promote a shittoken as a legitimate project worth investing in to.
legendary
Activity: 2730
Merit: 7065
If you transfer your coins and tokens to a third-party platform, there is very little you can do expect hoping and begging that the site is secure enough and wont be exploited. But there is also the possibility of rug pulls and exit scam.

On the other hand, a lot of smart contract exploits happen because it's the users who allow and give permission for a certain type of transaction to happen in their wallet. If a hacker discovers a vulnerability in a particular smart contract, he can target users who own that asset. Send them a fake airdrop, for example, with instructions on how to sell those coins. Once the victim attempts to make a transaction to trade/sell that token, MetaMask pops up asking the user if he wants to approve the transaction. Since many people are in a hurry and don't feel like double-checking what they are doing, many will just approve and broadcast. In reality, you allowed another token to be sent from your wallet, and that's how a smart contract vulnerability can lead to the loss of money if you aren't careful and in a hurry. 
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
You might have been disappointed had you invested in Vee Finance, Spartan Protocol, Akropolis, or Saddle Finance. They all were audited by Certik and got hacked later. People lost more than 60 million dollars. For me, it is an instructive example of how it is almost pointless to rely on third-party audits when it comes to DeFi projects and smart contracts. If the hack can happen, it will happen.

https://rekt.news/leaderboard/

I wouldn't say it's almost pointless because I'm pretty sure they do help a lot, but then again, no one should be basing their decisions if they should use a smart contract or not based on audits. Just like how having good engineers and architects make a building structure better, but not 100% earthquake proof.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
You may also lose money in smartcontracts if someone exploits the smart contract,  not necessarily a scammer

Take a look here. On Sunday (yesterday) the defi Grim lost 30million USD in a hack attack:

Quote
The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits.

Grim Finance officially announced on Saturday that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.

According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform was processing the first deposit.


https://cointelegraph.com/news/defi-protocol-grim-finance-lost-30m-in-5x-reentrancy-hack

Smartcontracts are dangerous if not properly designed.. you may lose money in those projects.
legendary
Activity: 1456
Merit: 1108
Top-tier crypto casino and sportsbook
Scammers are very smart people who have devoted their creativity and time into devising new means and methods of swindling people and taking their hard earned cash. Have this at the back of your mind and be cautious always because we never know the new style or method they have devised. If someone tells you a definitive no right now that scammers can't steal your money using smart contracts, the answer may not still be true tomorrow as a new method may be devised by scammers tomorrow. i hope you understand where i'm coming from, always act with the consciousness that anything is possible with scammers.
legendary
Activity: 2394
Merit: 2223
Signature space for rent
They can do it even if I use hardware wallet like Ledger? For examle, I connect Ledger to MetaMask and then execute a scam contract via Ledger. Or I connect Ledger to a scam site directly and do the same thing. That's mean I give scammers access to all my funds in my wallet and they can steal money without any confirmation of transactions?
It doesn't matter what wallet have you been using, just keep in mind that if you allow your wallet access from another site and allow to make transactions then you lost it forever if that goes into a scammer wallet. Those who are we not much technical person, we can't read codes how it works. We don't know even whether it has deployed in smart contract or not, to be honest. We to prevent that always we must need to choose a reputable site to stake, trade, or swap. Most likely who have technical knowledge about smart contracts and solidity would know how the site works.
legendary
Activity: 2450
Merit: 4415
🔐BitcoinMessage.Tools🔑
I easily get interested in projects audited by Certik, and so far I haven't been disappointed.
You might have been disappointed had you invested in Vee Finance, Spartan Protocol, Akropolis, or Saddle Finance. They all were audited by Certik and got hacked later. People lost more than 60 million dollars. For me, it is an instructive example of how it is almost pointless to rely on third-party audits when it comes to DeFi projects and smart contracts. If the hack can happen, it will happen.

https://rekt.news/leaderboard/
hero member
Activity: 1008
Merit: 960
Think of a smart contract as basically an executable that you download from a website.

When you run the downloaded executable, Windows will ask for your permission to run it. If you agree to run it, the program now has access to your device, and can cause damage.

Similarly, the website with a smart contract will ask you in your wallet to get access to your coins. If you grant access to it, then that website can access your coins, and that means if there's a bug in the code, a hacker can get your coins.

Be careful, read every thing you accept in your wallet, and make sure you go to the correct websites.
legendary
Activity: 2716
Merit: 1225
Once a man, twice a child!
And if you're extra paranoid, always check the project's social media accounts so you're updated if there's a recent exploit or whatever.
I always do that, and I guess my paranoia is in order too. No matter how someone tries to direct me to a site (of course, trusted sites) I tell them to send me link to the site. I do this to avoid phishers. Any fund transferred to a phishing site is as good as gone. In financial matters precision and patience are key items. I rather wait for the right link than hastily google it myself.

A project being audited by Certik or any other auditing company doesn't make a project hack-proof.
But it surely goes a long way in helping the investor relax and have that sense of security that their money is safe. I easily get interested in projects audited by Certik, and so far I haven't been disappointed.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
If you must invest in a newly created token make sure it is smart contract audited because scammers also use this idea to steal from investors and the purpose of a smart contract audit is to guarantee that a certain smart contract is free from threat and rug pull.

Having auditors is just having someone to check the code for bugs and exploits with a fresh new pair of eyes, but it doesn't guarantee anything. Because if having auditors could guarantee contracts to be totally secure, then we wouldn't have this much DeFi exploits[1] today.

Heck, even centralized exchanges has their own auditors. But yet..


[1] https://cryptosec.info/defi-hacks
hero member
Activity: 2660
Merit: 651
Want top-notch marketing for your project, Hire me
In addition to all the previous explanations.
Yes, scammers can steal from using the smart contract security vulnerabilities and that's why it is good to ensure that you're using the right site.
If you must invest in a newly created token make sure it is smart contract audited because scammers also use this idea to steal from investors and the purpose of a smart contract audit is to guarantee that a certain smart contract is free from threat and rug pull.
member
Activity: 155
Merit: 10
Most crypto scammers use smart contract for their unforgiving act, the most popular one is creating a fake token of another project just to lure crypto newbies into buying the fake tokens through pancake swap or uniswap

Another one is creating fake token and sending the tokens to many ETH address as possible and when the ETH address owners sees the token they will want to sell their tokens and that's when they will lose all their assets all in the name of trying to sell the free fake token
legendary
Activity: 1932
Merit: 1273
They can do it even if I use hardware wallet like Ledger? For examle, I connect Ledger to MetaMask and then execute a scam contract via Ledger. Or I connect Ledger to a scam site directly and do the same thing. That's mean I give scammers access to all my funds in my wallet and they can steal money without any confirmation of transactions?
Yes, they can. When you execute a malicious scam contract, beforehand you are approving(signing) the transaction within your hardware wallet. So if the transaction or the contract is malicious in the first place, there is no use in using a hardware wallet.

Another security risk is when you use a hardware wallet but you are using a fake Metamask wallet, it will also risk all of your funds.

sr. member
Activity: 1148
Merit: 346
For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

I use MetaMask as a hot wallet. This app is very popular and many scammers steal money from MetaMask. Sometimes they steal it without seed phrase, trojans, viruses etc. But users say that they sign some contracts and lose their funds.

Many thanks to all your answers, my crypto friends Smiley!


It is possible that they can steal your money from your wallet if when you open their sites and give all your information and especially your wallet then they have a chance to hack or transfer you money from your wallet to their wallets.
Before you open a non trusted/ non familiar sites you need to do some research in order to prevent loss your money or getting scam.
hero member
Activity: 2702
Merit: 716
Nothing lasts forever
For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

I use MetaMask as a hot wallet. This app is very popular and many scammers steal money from MetaMask. Sometimes they steal it without seed phrase, trojans, viruses etc. But users say that they sign some contracts and lose their funds.

Many thanks to all your answers, my crypto friends Smiley!


Yes you can lose funds if you visit some site which connects to your wallet. I have seen such scams on Phantom wallet where a scam site asks to connect to your wallet.
If you connect your wallet then you lose all your balance from the wallet. People don't generally verify the site and simply connect the wallet thinking that the site is genuine.
On the backend though, a code is executed which triggers the smart contract to be executed which transfers the funds from the victim's wallet to the scammers address.
legendary
Activity: 3024
Merit: 2148
I don't think that smart contracts are needed for drive-by attacks - when you visit a site and it steals your ETH and tokens from your wallet. Smart contract is basically and address, you need to make a transaction to interact with it, so if an attacker can make a transaction on your behalf, they could just send their coins to regular address instead of a smart contract.

Smart contracts are used in scams by hiding some sort of backdoor that would allow them to steal money of anyone who interact with it. Like how they promise some profits from something like yield farming or staking, but then just steal all the tokens that were sent to them, because no one realized that the devs added some hidden function for that. Or hackers could find a legitimate bug that could lead to this scenario, but I'm more inclined to believe that a lot of the "hacks" are just inside jobs, because it's easier to put a bug in the software than to find one in the wild, and crypto space is full of scammer "developers".
legendary
Activity: 2268
Merit: 1379
Fully Regulated Crypto Casino
On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?
No matter how good the auditor is for sure there are plenty of ways how to exploit a smart contract and mentioning certik doesn't seem reliable since they got some projects that are fully audited and yet got some errors and conflict when regards to security. What does it imply, means not all audited one can completely safe from vicious scammers that are genius on their crime activities.
hero member
Activity: 1498
Merit: 711
Enjoy 500% bonus + 70 FS
Let me make it brief, scammer can penetrate to everywhere, first provided that  their own platform exist, i have never seen a wallet scammers can not steal money from it, provided it's a scamming platform, going into their site to do any partnership or transactions you can be easily  be scammed because i believe during the registration from the site they have access  and vital information to penetrate into your various wallet address that may be input.
newbie
Activity: 4
Merit: 2
Quote
Yes, they can. If you execute a contract without knowing that it was a scam site, then they can steal your funds.

They can do it even if I use hardware wallet like Ledger? For examle, I connect Ledger to MetaMask and then execute a scam contract via Ledger. Or I connect Ledger to a scam site directly and do the same thing. That's mean I give scammers access to all my funds in my wallet and they can steal money without any confirmation of transactions?
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
It is worth mentioning that the protocol that is used to build the contract is important too. Some of them are very weak and have many security flaws that can potentially be exploited to steal money from unaware users. You have to be an expert to notice these things though.
DAO on Ethereum comes to mind when we talk about weak protocol and exploits.

This. @OP you better freakin what you're doing if you don't want to get burned. If you want to provide liquidity for the gainz, then you better know what you're using. If you think exchange hacks are bad, DeFi exploits are just as bad. (or probably even worse, because sometimes we don't know if the anonymous developers planted an exploit on purpose)

https://cryptosec.info/defi-hacks/
legendary
Activity: 3472
Merit: 10611
As for testing the contract, you're highly more likely to be safe if you're executing the contracts through command line, and with you fully knowing what a certain contract actually does. But if you're executing through a front-end UI like a website, then there's not much you can do as far as I know.
It is worth mentioning that the protocol that is used to build the contract is important too. Some of them are very weak and have many security flaws that can potentially be exploited to steal money from unaware users. You have to be an expert to notice these things though.
DAO on Ethereum comes to mind when we talk about weak protocol and exploits.
mk4
legendary
Activity: 2870
Merit: 3873
Paldo.io 🤖
For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds?
Yes, they can. If you execute a contract without knowing that it was a scam site, then they can steal your funds.

If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?
Always make sure you're in the correct website. And if you're extra paranoid, always check the project's social media accounts so you're updated if there's a recent exploit or whatever.

For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?
They can, and not even just a specific trading pair.

As for testing the contract, you're highly more likely to be safe if you're executing the contracts through command line, and with you fully knowing what a certain contract actually does. But if you're executing through a front-end UI like a website, then there's not much you can do as far as I know.

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?
A project being audited by Certik or any other auditing company doesn't make a project hack-proof.
newbie
Activity: 4
Merit: 2
For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

I use MetaMask as a hot wallet. This app is very popular and many scammers steal money from MetaMask. Sometimes they steal it without seed phrase, trojans, viruses etc. But users say that they sign some contracts and lose their funds.

Many thanks to all your answers, my crypto friends Smiley!
Jump to: