From Programming Bugs to Multimillion-Dollar Scams: An Analysis of Trapdoor Tokens on Uniswap

TL;DR

This paper analyzes the emergence of Trapdoor scam tokens on Uniswap, classifies their malicious techniques, and introduces TrapdoorAnalyser, a detection tool that outperforms existing solutions and enables large-scale identification of scam tokens.

Contribution

It provides the first systematic classification of Trapdoor tokens, develops a highly accurate detection tool, and creates a large dataset for machine learning-based scam detection.

Findings

TrapdoorAnalyser outperforms GoPlus in accuracy.

A dataset of 30,000 tokens enables effective machine learning detection.

Trapdoor tokens embed concealed malicious code techniques.

Abstract

We investigate in this work a recently emerged type of scam ERC-20 token called Trapdoor, which has cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but preventing them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes, accompanied by a detailed analysis of representative scam contracts. In particular, we developed TrapdoorAnalyser, a fine-grained detection tool that generates and crosschecks the error-log of a buy-and-sell test and the list of embedded Trapdoor indicators from a contract-semantic check to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy, but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy even Trapdoor tokens with no available Solidity source codes.