How scammers manipulate smart contracts to steal crypto

Scammers can hide fees or other tricks in smart contracts, while hackers look for vulnerabilities to exploit.

In 2021, scammers made off with $14B in ill-gotten crypto. So, a lot.

According to Check Point Research, the research arm of cybersecurity company Check Point, many scammers manipulate tokens’ smart contracts — contracts that exist and run automatically as code on the blockchain.

Here’s an example of a scam

In a typical transaction, you might be charged a fee when you buy or sell tokens.

Oded Vanunu, Check Point’s Head of Products Vulnerabilities Research, told The Hustle that usually fees should be no more than 12% of the total transaction amount.

But a scammer might hide a 99% buy or sell fee in the token’s smart contract that wipes all your money. Or, they could hide a function that blocks you from selling your coins at all.

Scam tokens are often hyped on social media channels…

… like Twitter, Discord, or Telegram by anonymous accounts to inflate the coin’s value.

Once the coin is popping, the scammers pull out all their money, delete the accounts, and disappear. That’s known as a “rug pull” scam.

Remember SQUID, the “Squid Game”-inspired token? It boomed to $2.8k+ per coin, then plummeted after the developers claimed they were hacked, sold their coins, deleted their socials, and bounced with an estimated $3.3m.

Speaking of hackers…

If a legit smart contract has a vulnerability, hackers could exploit it.

For example, a hacker exploited a mistake in The Zenon Network to destroy 26.4k+ coins, causing the price of wZNN to dramatically increase. The hacker then drained the pool for $814.5k+.

So, how do you avoid scams?

Vanunu said the current state of crypto is too complex and has too many moving parts for the average user to completely understand it — though we may soon see technologies geared to help.

For now?

“My main recommendation is to go after the tokens with a large amount of holders — [at least] a few thousand,” Vanunu said.

Get the 5-minute roundup you’ll actually read in your inbox​

Business and tech news in 5 minutes or less​


How'd Bezos build a billion dollar empire?

In 1994, Jeff Bezos discovered a shocking stat: Internet usage grew 2,300% per year.

Data shows where markets are headed.

And that’s why we built Trends — to show you up-and-coming market opportunities about to explode. Interested?

[email-submission-form button-text="Join Free" include-trends-opt-in="true" success-url="" default-source="thehustleco" default-medium="home-exit-popup" default-campaign="home-page" form-id="exit-popup-general" optinmonster-conversion="true"]
<script type="text/javascript"> var onloadCallback = function() { grecaptcha.render('verify-your-humanity', { 'sitekey' : '6LdddrcZAAAAALyttpvOqiwQGwq5BNhgDz4tMQGE' }); }; function getCookieValue(a) { var b = document.cookie.match('(^|[^;]+)\\s*' + a + '\\s*=\\s*([^;]+)'); return b ? atob(decodeURIComponent(b.pop())) : ''; } function getCookie(name) { var cookieArr = document.cookie.split(";"); for(var i = 0; i < cookieArr.length; i++) { var cookiePair = cookieArr[i].split("="); if(name == cookiePair[0].trim()) { return decodeURIComponent(cookiePair[1]); } } return null; } function setHiddenFieldValue(wrappingDiv, searchParams, className, utmName, cookieName, defaultValue) { var el = wrappingDiv.getElementsByClassName(className)[0]; var existingVal = el.getAttribute('value'); if (utmName == 'ref') { var newVal = searchParams.get(utmName) || getCookie(cookieName); } else { var newVal = searchParams.get(utmName) || getCookieValue(cookieName); } if ((existingVal == null || existingVal == '' || existingVal == defaultValue) && (newVal != null && newVal != '')) { el.setAttribute('value', newVal); } } function setHiddenFieldValueFromUtm( wrappingDiv, searchParams, className, utmName, defaultValue ) { var el = wrappingDiv.getElementsByClassName(className)[0]; if (el != null) { var existingVal = el.getAttribute("value"); var newVal = searchParams.get(utmName); if (newVal != null && newVal != "") { el.setAttribute("value", newVal); } } } function initForm() { var wrappingDivs = document.getElementsByClassName('email-submission'); wrappingDivs.forEach(wrappingDiv => { var sp = new URLSearchParams(; setHiddenFieldValue(wrappingDiv, sp, 'funnel-source', 'utm_source', 'funnel_source', 'thehustleco'); setHiddenFieldValue(wrappingDiv, sp, 'funnel-campaign', 'utm_campaign', 'funnel_campaign', 'home-page'); setHiddenFieldValue(wrappingDiv, sp, 'funnel-medium', 'utm_medium', 'funnel_medium', 'home-exit-popup'); setHiddenFieldValue(wrappingDiv, sp, 'funnel-referral', 'ref', 'funnel_referral', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-a', 'a', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-c', 'c', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-o', 'o', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-oc', 'oc', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-e', 'e', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-f', 'f', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-r', 'r', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-t', 't', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s1', 's1', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s2', 's2', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s3', 's3', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s4', 's4', ''); setHiddenFieldValueFromUtm(wrappingDiv, sp, 'funnel-s5', 's5', ''); var error_message = getCookieValue('validate-email-message'); if (error_message && error_message.trim() != '') { var error = wrappingDiv.getElementsByClassName('funnel-error')[0]; var prev_email = getCookieValue('funnel_email'); error_message = prev_email + " is not valid. Please try again"; error.innerHTML = error_message; = ''; } }); if (false) { initCaptchaFormV2(); } } function initCaptchaFormV2() { var v3RecaptchaResponseEl = document.getElementById('recaptcha-response-v3'); v3RecaptchaResponseEl.parentNode.removeChild(v3RecaptchaResponseEl); var wrappingDiv = document.getElementById('email-submission'); var subForm = wrappingDiv.getElementsByClassName('email-submission')[0]; var captchaVersion = document.createElement('input'); captchaVersion.class = 'g-recaptcha hidden-input'; captchaVersion.type = 'hidden'; = 'g-recaptcha-response-v2'; captchaVersion.value = 'true'; subForm.appendChild(captchaVersion); var captchaEl = document.createElement('div'); = 'verify-your-humanity'; subForm.prepend(captchaEl); var captchaApiScriptEl = document.createElement('script'); captchaApiScriptEl.src = ''; captchaApiScriptEl.async = true; captchaApiScriptEl.defer = true; document.head.appendChild(captchaApiScriptEl); } function appendCheckboxes_email_submission() { var wrappingDiv = document.getElementById('email-submission'); var optInDivs = wrappingDiv.querySelectorAll('.trends-opt-in'); optInDivs.forEach(el => { = null; if (el.getElementsByClassName('trends-opt-in-checkbox').length < 1) { var checkbox = document.createElement('input'); checkbox.setAttribute('id', 'trends_opt_in_email_submission'); checkbox.setAttribute('class', 'trends-opt-in-checkbox'); checkbox.setAttribute('type', 'checkbox'); checkbox.setAttribute('name', 'trends_opt_in'); var label = document.createElement('label'); label.setAttribute('for', 'trends_opt_in_email_submission'); label.setAttribute('class', 'trends-opt-in-text'); label.textContent = "Yes, I'd like to receive additional emails on hot business opportunities from Trends, by the Hustle"; el.appendChild(checkbox); el.appendChild(label);; } }) } window.addEventListener('DOMContentLoaded', (event) => { initForm(); if (true) { appendCheckboxes_email_submission(); } }); </script> <div class="email-signup" id=email-submission> <div class="funnel-error" style="display:none;"></div> <form class="email-submission " id="exit-popup-general" action="" method="post" autocomplete="email"> <div class="email-form-wrap"> <input class="funnel-source hidden-input" type="hidden" name="source" value="thehustleco"> <input class="funnel-campaign hidden-input" type="hidden" name="campaign" value="home-page"> <input class="funnel-medium hidden-input" type="hidden" name="medium" value="home-exit-popup"> <input class="funnel-form-id hidden-input" type="hidden" name="form-id" value="exit-popup-general"> <input class="funnel-referral hidden-input" type="hidden" name="referral_code"> <input class="funnel-fail-url hidden-input" type="hidden" name="fail_url" value=""> <input class="funnel-a hidden-input" type="hidden" name="a" value=""> <input class="funnel-c hidden-input" type="hidden" name="c" value=""> <input class="funnel-o hidden-input" type="hidden" name="o" value=""> <input class="funnel-oc hidden-input" type="hidden" name="oc" value=""> <input class="funnel-e hidden-input" type="hidden" name="e" value=""> <input class="funnel-f hidden-input" type="hidden" name="f" value=""> <input class="funnel-r hidden-input" type="hidden" name="r" value=""> <input class="funnel-t hidden-input" type="hidden" name="t" value=""> <input class="funnel-s1 hidden-input" type="hidden" name="s1" value=""> <input class="funnel-s2 hidden-input" type="hidden" name="s2" value=""> <input class="funnel-s3 hidden-input" type="hidden" name="s3" value=""> <input class="funnel-s4 hidden-input" type="hidden" name="s4" value=""> <input class="funnel-s5 hidden-input" type="hidden" name="s5" value=""> <input class="funnel-success-url hidden-input" type="hidden" name="success_url" value=""> <input id="recaptcha-response-v3" class="g-recaptcha hidden-input" type="hidden" name="g-recaptcha-response" value=""> <div class="signup-icon" style="display:none;"> <svg width="24" viewBox="0 0 24 24" fill="none" xmlns=""><path d="M22 6c0-1.1-.9-2-2-2H4c-1.1 0-2 .9-2 2v12c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6Zm-2 0-8 5-8-5h16Zm0 12H4V8l8 5 8-5v10Z" fill="#848B92"></path></svg> </div> <input class="signup-email" type="email" name="email" placeholder="Your email address" required autocomplete="email"> <input class="email-submit om-trigger-conversion" type="submit" value="Join Free"> </div> <div class="validate-mistake-emails-message" style="display:none;"></div> <div class="trends-opt-in" style="display:none;"></div> <div submit-success> <template type="amp-mustache"> <p class="c-message c-message--success">Thank you for subscribing.</p> </template> </div> <div submit-error> <template type="amp-mustache"> <p class="c-message c-message--failed">Your submission failed. Please try again!</p> </template> </div> </form> </div>