Complex doubt about smart contracts security

Can a modified smart contract of a scam token purchased through a well knowed DEX like Jupiter or Raydium affect my wallet?
I understand that typical scams work by signing contracts on external scam websites or simply with modified token contracts so that they can't be sent or sold once purchased/swaped. Or in some cases charge a huge gas fee at the time of sell.

My only doubt is, in the case of making a swap in a DEX and get a token that can be a potential scam, can this token interact with my wallet? (Executing a smart contract function on a known and relatively secure DEX and drain funds from my wallet).


Hypothetically I swap 100 USDC for a potential XScamX Toquen.

1: Oh! I can no longer sell the token (modified contract with a blacklist).
2: In the token info there is a link where I can claim my rewards in gratitude. I leave the DEX and go to a scam website, sign and boom, my funds disappear.
3: I pay a huge gas fee that takes away some of my funds

I have been seeing these 3 types of scams for some time now. My doubt comes in the fourth possibility:

4: When I have exchanged those 100 USDC for that XScamX token, I realize that hours later they are worth 25 USDC and I decide to exchange them again before going to 0.

Could it happen that the smart contract has been modified so that when I change them within the official DEX where I first acquired them, a function is executed that drains my funds?

I understand this may be a strange question but I'm not a security expert and I want to make sure before doing something I might regret.

Big thanks in advance for your help

Your question is too obfuscated, as it mixes up a bunch of different scenarios, some onchain-related (e.g., "Can a modified smart contract of a scam token affect my wallet?"), and some offchain-related (e.g., "I go to a scam website, sign and boom, my funds disappear").

It is pretty impossible to answer it in a coherent manner which addresses all of the different concerns that you've raised; I suggest that you minimize into a single aspect that you wish to better understand.

Agree with this.
It also might help to provide some real world examples because I can see you mentioned "I have been seeing these 3 types of scams for some time now" but it is a little hard to understand.

Thank you for the answer and I am sorry for not having explained myself more clearly (My English is also awful, sorry). I will try to be more specific starting by clarifying that the first 3 examples do not describe the doubt I have. As I said before I have been seeing them for some time. And, as a clarification, one example of a real life (about example nº1):

A token is created using a contract that is able to not arouse suspicion in a DEX. This fraudulent contract uses a function to determine (as a black/white list) who can sell the token. When a purchase is made, for example through a swap in a DEX, the address is added to a blacklist that will make the sale impossible. Only the owner is able to change the variables and considering that he will not block the user at the time of purchase the DEX itself will not detect the scam.
This example serves to say that sometimes there is no need to go to a external website and sign a malicious contract for being scammed.
(Of course, in example #1 it will only mean that you cannot recover the funds you have invested. Nothing about drain a wallet).

My doubt:

Considering that nowadays scammers seem to be getting more creative every day, my experience does not go as far as to know if a malicious smart contract with very specific functions could be unnoticed by the security of a DEX and be executed once the trader/user performs a simple swap.
I understand that this would be a scandal and would result in a potential danger to all wallets connecting to that DEX. But I was looking for a smart contract expert confirming that there is currently no real possibility of a wallet ending up drained by making a fake token swap on a known/reputable DEX.

Thank you again for your patience :slight_smile:

Thanks for providing that first example, how interesting! In case others were interested, the contract is known as a Honeypot Scam and CertiK posted a really interesting article on this same problem earlier this year see here.

I can appreciate that your concern is broad by its nature but I'll answer it the best I can in a very generalised manner. The issue you have pointed out most definitely is a gathering momentum to be a significant risk in the Web3 space. Yes, a malicious smart contract may for unnoticed by the security team at a DEX. But I would argue that this risk is severely mitigated by following a few basic diligence principles of looking to a token chart (or other indicators like token count), and not making a rash decision on hype (i.e. falling prey to the allure of getting rich quick).

There is no guarantee of a 100% flawless platform, so I doubt you'll find an expert that claims there is no real possibility of a wallet ending up completely drained by a scam (and if they do, don't trust them!!). Always apply a healthy degree of skepticism when looking to participate in a DEX.

Thank you for giving such a coherent answer. I completely agree with everything you have explained. I have been applying these security measures for years (observation, analysis and a cool mind before making any decision), and they have worked very well for me so far.

And yes, you are right that something improbable does not mean impossible. Related to this, I have always found it interesting to learn from those who know the most to be more aware of the reality that surrounds us. On the other hand I also understand that it's very complicated to give an example of something as complex as the possibility that a wallet can be affected by the simple act of making a swap within a DEX.

By the way, I had no idea about the "technical" name for that type of scam (Honeypot). I will definitely take a look at this link.

Thanks again and kind regards!

1 Like