Vulnerabilities In Your Wallet – Fear the Trash Tokens

If you’re the type of diligent DeFi user that checks their wallet address on FTMScan you may have some noticed tokens you don’t recognize. FTM scan\’s data has revealed that hundreds of thousands of FTM wallets have been plagued by this wave of unwanted airdrops. But, what are these trash tokens? And what should you do about them? 

Top tokens by Total Uniques - Trash coins
Something about 4Gambling seems suspicious….

Trash tokens explained

DeFi protocols are the leading source of stolen cryptocurrencies according to a recent report ‘Crypto Crime Trends for 2022‘ from Chain Analysis. Trash tokens are just one of the many tools scammers employ to steal assets from DeFi users. 

Chainalysis info
2021 was a huge year for those DeFi burglars out there

I’m classifying ‘Trash tokens’ as any token designed to cause harm or create vulnerabilities in your wallet.

Any token you’re not intimately familiar with should be treated as hostile. Malicious actors develop tokens to send to wallets with the express purpose of finding and exploiting important user information. Think of it as an airdrop but instead of tokens you\’re getting spam emails. They leverage these tokens in several ways:

  • Scammers will airdrop tokens to your wallet address and then contact you to provide information on where to withdraw/exchange the tokens, often directing users to malicious websites.
  • The airdrop tokens advertising a new dApp. You’ll then rush to their dApp to access your supposed newfound wealth. They will hit you with a standard-looking approval transaction but the code could contain nefarious permissions. Once you approve it they can access almost anything you hold in that wallet.
  • Dusting attacks are when scammers send tiny amounts of tokens to several wallets. Once you interact with these tokens, the scammers can analyze the addresses that interacted with the tokens and attempt to identify the owners of the address to further extort them.
  • Some scammers will airdrop a token that looks very similar to a legitimate token but it directs you to a scam site. Always double check your tokens and contract addresses!

Sorting the trash from the treasure

First rule of thumb, if you’re not sure where the token came from, do not engage with it! Treat it like foraging for food in the wild, only interact with it if you’re 100% sure that it is what you think it is. If it’s something you don’t recognize and it seems too good to be true, it probably is and it could cause you some serious pain.

Your next step should be to check if the token contract is verified on FTMScan. Under the Blockchain heading, you’ll find a tab named Verified Contracts. Click on that and you’ll be able to search smart contracts with verified source codes. Authors of legitimate smart contracts will provide FTM scan with their source code to give users an opportunity to audit their code independently. If the token you have does not have a verified source code, leave it alone. 

FTMScan verified smart contracts
Verified Smart contracts can generally be trusted

If you are confident in inspecting smart contracts, start reading through and see if you can find any suspicious functions lying around. Popular functions for scammers to modify are:

  • Mint Function – Can the owners mint extra tokens for themselves?
  • Freeze Function – Can the owner freeze assets?
  • Self Destruct – Can the owner destroy the contract and run away will all the tokens?

Another useful tool in sniffing out trash tokens is Token Sniffer. This website allows users to identify malicious contracts, exit scams, and hacks by scanning contracts for known scams and compiling an automated audit of safety criteria. 

Token Sniffer

Keeping your wallet safe 

Prevention is better than the cure so try creating a new wallet used exclusively for whitelists or airdrops. Think of this as your junk e-mail and only interact with assets within this wallet that you trust.

Get in the habit of reviewing and revoking token approvals on FTM Scan. Head here to input your wallet address and check out exactly what contracts your FTM address is currently interacting with and check if you recognize each of them. Once you connect to your wallet you’ll be able to revoke permissions on a contract by contract basis. I recommend clearing all permissions and starting with a clean slate. Then, start revoking token approvals every fortnight or so and you’ll soon be comfortable with identifying permissions that don’t belong.

Token Approvals

Safety should be your primary concern when surfing the web3 wave. The best way to safeguard your assets is to keep a vigilant and conscious eye on your interactions within the space. We should all be consistently improving our security practices as scammers are surely working hard to improve their methods of attack.

In short, if you don’t recognize it, don’t touch it!

Scroll to Top