At least 15 new smart contract scams are deployed every hour on major blockchains, and BNB Chain seems to attract a good chunk of these, according to the latest findings of Solidus Labs, a crypto risk monitoring and market surveillance company.
Binance, Ethereum Flooded with Smart Contract Scams
Solidus has recently launched Solidus Threat Intelligence, a real-time threat detection tool that helps anti-money laundering (AML) teams and other entities identify smart contract scams, which have become one of the most serious challenges in decentralized finance (DeFi) and Web3.
The tool is monitoring 12 major blockchains, including Ethereum, BNB, and Polygon. As of October 10, it had detected almost 190,000 smart contract scams. Interestingly, 12% of all BEP-20 tokens on BNB Chain display characteristics of fraudulent activities, which is the highest proportion among the tracked chains. Ethereum comes next, with 8% of all ERC-20 tokens showing signs of fraudulence. Solid also estimated that about $910 million worth of ETH related to scams had already passed through centralized and regulated crypto exchanges.
Scam-related smart contracts are hard-coded to deprive investors of their deposits. These have become a growing threat in the emerging Web3 space. There are several types of smart contract scams, including rug pulls, phishing attacks, and token impersonations. The problem is that scam contracts can be deployed automatically and replicated easily, enabling serial scammers to conduct multiple small-value attacks without notice right under the nose of regulated exchanges.
Solidus’ VP of Regulatory Affairs, Kathy Kraninger, who previously led the US Consumer Financial Protection Bureau (CFPB), stated:
“While some of the big rug pulls and scams make the news, like the famous Squid Games Token that’s estimated to have cost users around $3 million in lost funds, the full picture stemming from our data shows the vast majority of these scams go unnoticed.”
Speaking about the company’s threat intelligence tool, she said:
“Providing this level of transparency is a major step in assessing the true magnitude of crypto scams and market manipulation – which allows the industry and regulators to prevent consumer harm and ultimately raise market integrity and consumer protection standards.”
How Do Rug Pulls Operate?
In a dedicated post, Solid Labs provided a detailed overview of rug pulls, which are the most popular smart contract scams. What’s worse, the vast majority of them are not detected. Another worrying finding is that their prevalence is increasing rapidly with the adoption of Web3 solutions.
In a nutshell, rug pulls are crypto scams in which teams pump their token to attract investors and then pull out before the project is even built. However, Solidus found that rug pull tokens are intentionally programmed to steal, with their smart contracts being capable of disabling secondary sales, charging buyers sell fees of 100%, or allowing developers to mint new tokens. The unnoticed rug pulls deprive investors of hundreds of millions.
While on the surface rug pull tokens are no different from any other token, their source code can tell a lot when analyzed closer. Scammers hard-code malicious rules directly into the smart contract to have hidden power and abuse it.
After deploying a token, the rug pull team usually builds a liquidity pool on a decentralized exchange (DEX), which isn’t run by a centralized entity and doesn’t require KYC verification. The liquidity pool basically represents a trading pair that includes the scam token and a major cryptocurrency, such as Ethereum. The next step for the team is to pump the token by artificially inflating transaction volume, generating hype on social media, coming up with a website and roadmap, etc. When a significant number of investors have bought into the fraudulent token, scammers sell their holdings on the DEX, exiting the pool altogether.
The Solid Labs’ Solution
Solidus’ threat intelligence tool, called Solidus Web3 AML, merges proprietary on- and off-chain datasets with the smart contract scanning technology provided by Token Sniffer. In this way, Solidus can detect rug pulls at the earliest stage possible.
The system covers Ethereum, BNB chain, and 10 other blockchains. Unlike current methodologies, most of which rely on a retroactive approach to spot crypto scams, Solidus’ solution is monitoring the DeFi and Web3 activities in real-time, representing a game-changer in DeFi risk monitoring and AML compliance.
Web3 AML is part of Solidus HALO, the company’s crypto suite of market integrity solutions that also include Trade Surveillance, Trade Monitoring, and Onboarding Verification, among others. HALO is now employed by crypto exchanges and other entities to monitor over 1 trillion events every single day across over 150 markets. It helps crypto market players protect over 25 million retail and institutional investors.
Binance Offers Proprietary Tool to Detect Red Flags
It seems that Binance has been aware of the prevalence of smart contract scams on its blockchain network. Back in July of this year, BNB Chain launched a new platform called DappBay, which helps users discover new Web3 projects. The tool integrates a new feature called Red Alarm, which, like Solidus, detects risk in real-time and notifies users of potentially risky projects, including rug pulls and other scams. Thanks to DappBay, users can check whether a smart contract has logical flaws or fraud risks.
Gwendolyn Regina, Investment Director at BNB Chain, said at the time:
“Using market data, DappBay allows the BNB Chain community to shortlist and rank the best recently launched projects, such as Gamefi, Defi, NFT, and others. Most importantly, the Red Alarm feature helps users in staying one step ahead of scammers; the system warns in real time of potential risks associated with the projects, allowing the community to make informed investment decisions. This is a breakthrough, not only for the BNB Chain community, but for the entire blockchain community.”
While this is not necessarily the problem of Binance, the ecosystem attracts not only scammers but hackers as well. Earlier this month, Binance’s cross-chain bridge for the Binance Coin (BNB) was hacked, with the attacker illegally issuing 2 million BNB, worth about $570 million at the time from a Binance Smart Chain (BSC) address. BNB Chain reacted quickly, pausing all operations on BSC to contain the damage, with the attacker managing to move only about $137 million worth of crypto to other chains.
An exploit on a cross-chain bridge, BSC Token Hub, resulted in extra BNB. We have asked all validators to temporarily suspend BSC. The issue is contained now. Your funds are safe. We apologize for the inconvenience and will provide further updates accordingly.
— CZ 🔶 Binance (@cz_binance) October 6, 2022
Earlier this week, Binance CEO Changpeng Zhao told CNBC that the company was closer to finding out the identity of the hacker.
The month of October — which is less than halfway through — has recorded the highest value hacked all year — $718 million across 11 different DeFi protocols so far, according to blockchain analytics unit Chainalysis.
October has already been the worst month in terms of hacking attacks, as it has seen the highest value hacked so far this year – $718 million across 11 DeFi protocols, as per Chainalysis.
A recent report by Certik that covers Web3 hacks in the third quarter of this year found that BNB Chain was the most targeted blockchain.
Binance is one of the largest blockchain ecosystems that is constantly adding new features and expanding its user base, which may be part of the reason why scammers and hackers are targeting it to find loopholes.