The rise of Web3 technology represents a powerful shift towards decentralization, offering new opportunities in finance, ownership, and the way we interact online. However, as with any emerging technology, it has also become fertile ground for scammers eager to exploit both experienced and novice users alike.

It’s important to understand that the presence of bad actors does not undermine the potential of Web3 itself. For comparison, in Egypt, we see countless incidents of credit card fraud, but no one would suggest abandoning electronic payment systems because of malicious actors. The solution is not avoidance, it is rather awareness and vigilance.

Key Takeaways:

• Avoid scams that promise easy, passive income.

• Beware of unlisted YouTube videos

• Never run code you do not fully understand.
  
  

The Myth of Easy Passive Income

One of the key lessons we should take to heart as Web3 grows is that there is no such thing as "easy passive income." If something seems too good to be true, it almost certainly is.

Scammers thrive on painting an enticing, unrealistic picture of effortless profits, hoping to reel you in with the promise of quick gains. Trust me, things are never as simple as they make them seem. Always approach such offers with caution and a healthy dose of skepticism.

The more informed and careful we become, the harder it is for these scams to succeed. Take every promise with a grain of salt, research thoroughly, and never make impulsive decisions based on enticing propositions.

At the end of the day, the promise of Web3 remains exciting and real, but it is up to us as users to stay alert and not be swayed by false promises. Just as in traditional finance, due diligence is key.

Scam Study Case: Unlisted YouTube Videos

One of the scams going around in the Web3 space involves the use of unlisted YouTube videos, a tactic that allows scammers to target specific audiences without drawing widespread public attention. One such video has already amassed an alarming 207k views, despite its unlisted status. This shows the scale of the scam and how effectively it's being spread within certain communities.

We pick one of these scam videos to talk about in this post. The scammer claims to have developed a “hot” Uniswap arbitrage bot, using none other than the buzzword of the moment: ChatGPT. The scammer taps into the hype surrounding AI, framing the bot as an innovative, cutting-edge tool (i.e., for the laughs) that can supposedly earn you effortless profits through automated arbitrage on decentralized exchanges like Uniswap.

False Promises

In the video, the scammer presents what he claims is a "game-changing" arbitrage bot, supposedly designed to capitalize on price differences between tokens on decentralized exchanges like Uniswap. He showcases a Solidity smart contract, explaining that this contract opportunistically takes advantage of token price discrepancies to generate profits.

On the surface, this sounds appealing—the concept of arbitrage, after all, is a legitimate trading strategy. But what the scammer conveniently omits is just how complex the implementation of such an idea truly is.

Key Points the Scammer Fails to Mention:

• Urgency is everything in arbitrage: Getting ahead in the arbitrage game means competing in a fast-paced environment where speed and capital are everything. The infrastructure required to monitor price changes, execute trades instantly, and pay for gas fees (Ethereum transaction costs) requires far more than just a simple smart contract—it demands a sophisticated setup off-chain as well.

• Smart contracts are not bots: The scammer provides misleading technical information. One glaring example is his claim that the Solidity smart contract itself is a "bot." This is completely false. Solidity smart contracts are not bots—they are not self-executing programs. They function as automated agreements that execute specific actions based on predefined conditions, but they still need to be triggered by external actors. Bots, on the other hand, are active off-chain programs written in languages like Python, JavaScript, or Go, which interact with smart contracts on-chain. The role of a bot is to watch for certain conditions (like price differences) and trigger the smart contract when the opportunity arises.

Analyzing the Code

By looking at the Solidity smart contract presented in the video, it becomes clear that this is nothing more than a disguised trap. Let’s break down the key functions that expose this scam for what it is.

1. Constructor Function

The contract's constructor function is empty, meaning nothing happens when the contract is deployed. This is not necessarily a red flag, but it is an indication that the contract offers no real value or functionality.

2. The receive() Function

The receive() function is also empty, but its mere presence signals that the contract is capable of accepting ETH. While this might seem harmless at first glance, it's an important clue: the scammer’s intention is to collect ETH sent to the contract by the victim.

3. The start() Function

Now, things get a little more interesting with the start() function. This function is named to create the illusion that it initiates some kind of meaningful operation. However, its true purpose is far less sophisticated. All this function does is verify that ETH has been sent to the contract, effectively confirming that the victim has deposited funds—ETH that the scammer eventually plans to steal.

4. The withdrawal() Function

Finally, we reach the function where the scam truly unfolds: withdrawal(). The scammer presents this function as the one that will allow the victim to retrieve their ETH, along with any "profits" earned through the arbitrage bot. But the reality is far different.

The scammer introduces the concept of fetching "mempool data," a highly misleading claim. Smart contracts cannot fetch mempool data—this is yet another misrepresentation designed to confuse and impress the victim with technical-sounding jargon.

Let’s dissect what fetchMempoolData() actually does:

All this function does is concatenate a series of strings (i.e., text) into one longer string. One of the strings returned by this function is:

This "mempool data" is nothing more than a string that begins to resemble an address. The contract then processes these strings to generate an actual address using the startExploration() function.

While this function might look sophisticated, all it does is convert a string into an address. More importantly, this address is most probably controlled by the scammer.

5. The Transfer of Funds

Now that the scammer has manipulated the victim into sending ETH to the contract, the final step occurs in the withdrawal() function:

Here, the address generated from the earlier string manipulation (to) is assigned, and the full balance of the contract (retrieved by getBa()) is transferred to this address—an address controlled by the scammer.

Conclusion

This scam demonstrates how buzzwords like “AI” and “blockchain” are used to deceive unsuspecting users. The Solidity contract presented in the video is designed not to make profits, but to steal ETH. The scam relies on the false trust of non-developers, many of whom, based on the video comments, ran code they did not understand.

The lesson here is simple: never run code you do not fully understand. In Web3 and beyond, skepticism and knowledge are your best defenses against scams. Stay informed and cautious as you navigate this evolving space.