Web3: A Promising Frontier Fraught with Deception – Stay Informed, Stay Safe

18 oct 2024

10 Minutes

The rise of Web3 technology represents a powerful shift towards decentralization, offering new opportunities in finance, ownership, and the way we interact online. However, as with any emerging technology, it has also become fertile ground for scammers eager to exploit both experienced and novice users alike.

It’s important to understand that the presence of bad actors does not undermine the potential of Web3 itself. For comparison, in Egypt, we see countless incidents of credit card fraud, but no one would suggest abandoning electronic payment systems because of malicious actors. The solution is not avoidance, it is rather awareness and vigilance.

Key Takeaways:
  • Avoid scams that promise easy, passive income.

  • Beware of unlisted YouTube videos

  • Never run code you do not fully understand.

The Myth of Easy Passive Income


One of the key lessons we should take to heart as Web3 grows is that there is no such thing as "easy passive income." If something seems too good to be true, it almost certainly is.

Scammers thrive on painting an enticing, unrealistic picture of effortless profits, hoping to reel you in with the promise of quick gains. Trust me, things are never as simple as they make them seem. Always approach such offers with caution and a healthy dose of skepticism.

The more informed and careful we become, the harder it is for these scams to succeed. Take every promise with a grain of salt, research thoroughly, and never make impulsive decisions based on enticing propositions.

At the end of the day, the promise of Web3 remains exciting and real, but it is up to us as users to stay alert and not be swayed by false promises. Just as in traditional finance, due diligence is key.

Scam Study Case: Unlisted YouTube Videos


One of the scams going around in the Web3 space involves the use of unlisted YouTube videos, a tactic that allows scammers to target specific audiences without drawing widespread public attention. One such video has already amassed an alarming 207k views, despite its unlisted status. This shows the scale of the scam and how effectively it's being spread within certain communities.

We pick one of these scam videos to talk about in this post. The scammer claims to have developed a “hot” Uniswap arbitrage bot, using none other than the buzzword of the moment: ChatGPT. The scammer taps into the hype surrounding AI, framing the bot as an innovative, cutting-edge tool (i.e., for the laughs) that can supposedly earn you effortless profits through automated arbitrage on decentralized exchanges like Uniswap.

False Promises


In the video, the scammer presents what he claims is a "game-changing" arbitrage bot, supposedly designed to capitalize on price differences between tokens on decentralized exchanges like Uniswap. He showcases a Solidity smart contract, explaining that this contract opportunistically takes advantage of token price discrepancies to generate profits.


On the surface, this sounds appealing—the concept of arbitrage, after all, is a legitimate trading strategy. But what the scammer conveniently omits is just how complex the implementation of such an idea truly is.

Key Points the Scammer Fails to Mention:
  • Urgency is everything in arbitrage: Getting ahead in the arbitrage game means competing in a fast-paced environment where speed and capital are everything. The infrastructure required to monitor price changes, execute trades instantly, and pay for gas fees (Ethereum transaction costs) requires far more than just a simple smart contract—it demands a sophisticated setup off-chain as well.

  • Smart contracts are not bots: The scammer provides misleading technical information. One glaring example is his claim that the Solidity smart contract itself is a "bot." This is completely false. Solidity smart contracts are not bots—they are not self-executing programs. They function as automated agreements that execute specific actions based on predefined conditions, but they still need to be triggered by external actors. Bots, on the other hand, are active off-chain programs written in languages like Python, JavaScript, or Go, which interact with smart contracts on-chain. The role of a bot is to watch for certain conditions (like price differences) and trigger the smart contract when the opportunity arises.

Analyzing the Code


By looking at the Solidity smart contract presented in the video, it becomes clear that this is nothing more than a disguised trap. Let’s break down the key functions that expose this scam for what it is.

1. Constructor Function


The contract's constructor function is empty, meaning nothing happens when the contract is deployed. This is not necessarily a red flag, but it is an indication that the contract offers no real value or functionality.

2. The receive() Function


The receive() function is also empty, but its mere presence signals that the contract is capable of accepting ETH. While this might seem harmless at first glance, it's an important clue: the scammer’s intention is to collect ETH sent to the contract by the victim.

3. The start() Function


Now, things get a little more interesting with the start() function. This function is named to create the illusion that it initiates some kind of meaningful operation. However, its true purpose is far less sophisticated. All this function does is verify that ETH has been sent to the contract, effectively confirming that the victim has deposited funds—ETH that the scammer eventually plans to steal.


4. The withdrawal() Function


Finally, we reach the function where the scam truly unfolds: withdrawal(). The scammer presents this function as the one that will allow the victim to retrieve their ETH, along with any "profits" earned through the arbitrage bot. But the reality is far different.


The scammer introduces the concept of fetching "mempool data," a highly misleading claim. Smart contracts cannot fetch mempool data—this is yet another misrepresentation designed to confuse and impress the victim with technical-sounding jargon.


Let’s dissect what fetchMempoolData() actually does:


All this function does is concatenate a series of strings (i.e., text) into one longer string. One of the strings returned by this function is:


This "mempool data" is nothing more than a string that begins to resemble an address. The contract then processes these strings to generate an actual address using the startExploration() function.


While this function might look sophisticated, all it does is convert a string into an address. More importantly, this address is most probably controlled by the scammer.

5. The Transfer of Funds


Now that the scammer has manipulated the victim into sending ETH to the contract, the final step occurs in the withdrawal() function:


Here, the address generated from the earlier string manipulation (to) is assigned, and the full balance of the contract (retrieved by getBa()) is transferred to this address—an address controlled by the scammer.

Conclusion


This scam demonstrates how buzzwords like “AI” and “blockchain” are used to deceive unsuspecting users. The Solidity contract presented in the video is designed not to make profits, but to steal ETH. The scam relies on the false trust of non-developers, many of whom, based on the video comments, ran code they did not understand.


The lesson here is simple: never run code you do not fully understand. In Web3 and beyond, skepticism and knowledge are your best defenses against scams. Stay informed and cautious as you navigate this evolving space.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.

Aviso y Descargo de Responsabilidad de Derechos de Autor

Todos los derechos reservados.

Todo el material que aparece en el sitio web de Zokyo (el “Contenido”) está protegido por derechos de autor según las leyes de derechos de autor de EE. UU. y es propiedad de Zokyo o de la parte acreditada como proveedor del Contenido. No puede copiar, reproducir, distribuir, publicar, mostrar, realizar, modificar, crear trabajos derivados, transmitir o de ninguna manera explotar dicho Contenido, ni puede distribuir ninguna parte de este Contenido a través de ninguna red, incluida una red de área local, venderlo u ofrecerlo para la venta, o usar dicho Contenido para construir cualquier tipo de base de datos. No puede alterar ni quitar ningún aviso de derechos de autor u otro aviso de copias del contenido en el sitio web de Zokyo. Está expresamente prohibido copiar o almacenar cualquier Contenido sin el permiso previo por escrito de Zokyo o el titular de los derechos de autor identificado en el aviso de derechos de autor del contenido individual. Para obtener permiso para usar el Contenido en el sitio web de Zokyo, comuníquese con hello@zokyo.io

Zokyo intenta asegurarse de que el contenido sea preciso y provenga de fuentes confiables, pero no garantiza que sea libre de errores. Zokyo puede agregar, modificar o derogar cualquier política, procedimiento o regulación, y no publicar oportunamente dichos cambios en su sitio web no se interpretará como una renuncia a la aplicación. Zokyo no garantiza que las funciones en su sitio web sean ininterrumpidas, que los defectos se corrijan, o que el sitio web esté libre de virus u otros componentes dañinos. Cualquier enlace a información de terceros en el sitio web de Zokyo se proporciona como cortesía y no constituye un respaldo de esos materiales o del tercero que los proporciona.