B001: Ethereum Honeypots

Quiz Contract

I began with the quiz contract, a seemingly innocuous contract that is “initialized” via it’s Start function that supposedly reveals the answer to the riddle at this transaction. The responseHash variable meant to hold the hash the answer is compared against is, ofcourse, not exposed publicly but can easily be retrieved via a raw storage read using an Ethereum client’s RPC API.

Internal Call of Culprit Transaction
Decompiled Bytecode of Setter Contract

Bank Contract

The bank contract was slightly more deceptive as to how it operates. At first glance, it looks like a contract to which users can deposit funds to and then withdraw them beyond a specified time (past the now timestamp). Although there were really no bonuses, this honeypot is targetted towards opportunistic hackers given that it has a pretty obvious re-entrancy issue.

Code Segment of “Vulnerability”
Extraneous Storage Slots vs. Implementation
Code Segment of Pot’s Operation

Conclusion

It was quite fun to have a look at how these types of scams operate, and even moreso to find one targetted specifically for security-savvy people who think that they can get some free ETH.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Papageorgiou

Alex Papageorgiou

A Solidity security auditor keen to share his knowledge.