If you’re the type of diligent DeFi user that checks their wallet address on FTMScan you may have some noticed tokens you don’t recognize. FTM scan’s data has revealed that hundreds of thousands of FTM wallets have been plagued by this wave of unwanted airdrops. But what are these trash tokens? And what should you do about them?
Trash tokens explained
DeFi protocols are the leading source of stolen cryptocurrencies according to a recent report, ‘Crypto Crime Trends for 2022‘ from Chain Analysis. Trash tokens are just one of the many tools scammers employ to steal assets from DeFi users.
I’m classifying ‘Trash tokens’ as any token designed to cause harm or create vulnerabilities in your wallet.
Any token you’re not intimately familiar with should be treated as hostile. Malicious actors develop tokens to send to wallets with the express purpose of finding and exploiting important user information. Think of it as an airdrop, but instead of tokens you\\\’re getting spam emails. They leverage these tokens in several ways:
- Scammers will airdrop tokens to your wallet address and then contact you to provide information on where to withdraw/exchange the tokens, often directing users to malicious websites.
- The airdrop tokens advertise a new dApp. You’ll then rush to their dApp to access your supposed newfound wealth. They will hit you with a standard-looking approval transaction, but the code could contain nefarious permissions. Once you approve it, they can access almost anything you hold in that wallet.
- Dusting attacks are when scammers send tiny amounts of tokens to several wallets. Once you interact with these tokens, the scammers can analyze the addresses that interacted with them and attempt to identify the owners of the address to extort them further.
- Some scammers will airdrop a token that looks very similar to a legitimate token, but it directs you to a scam site. Always double-check your tokens and contract addresses!
Sorting the trash from the treasure
The first rule of thumb is if you’re not sure where the token came from, do not engage with it! Treat it like foraging for food in the wild; only interact with it if you’re 100% sure that it is what you think it is. If it’s something you don’t recognize and it seems too good to be true, it probably is, and it could cause you some serious pain.
Your next step should be to check if the token contract is verified on FTMScan. Under the Blockchain heading, you’ll find a tab named Verified Contracts. Click on that, and you can search smart contracts with verified source codes. Authors of legitimate smart contracts will provide FTM scans with their source code to allow users to audit their code independently. If your token does not have a verified source code, leave it alone.
If you are confident in inspecting smart contracts, start reading through and see if you can find any suspicious functions. Popular functions for scammers to modify are:
- Mint Function – Can the owners mint extra tokens for themselves?
- Freeze Function – Can the owner freeze assets?
- Self Destruct – Can the owner destroy the contract and run away will all the tokens?
Another useful tool in sniffing out trash tokens is Token Sniffer. This website allows users to identify malicious contracts, exit scams, and hacks by scanning contracts for known scams and compiling an automated audit of safety criteria.
Keeping your wallet safe
Prevention is better than the cure so try creating a new wallet used exclusively for whitelists or airdrops. Think of this as your junk e-mail and only interact with assets within this wallet that you trust.
Get in the habit of reviewing and revoking token approvals on FTM Scan. Head here to input your wallet address and check out exactly what contracts your FTM address is currently interacting with and check if you recognize each of them. Once you connect to your wallet, you’ll be able to revoke permissions on a contract-by-contract basis. I recommend clearing all permissions and starting with a clean slate. Then, start revoking token approvals every fortnight or so, and you’ll soon be comfortable with identifying permissions that don’t belong.
Safety should be your primary concern when surfing the web3 wave. The best way to safeguard your assets is to keep a vigilant and conscious eye on your interactions within the space. We should all be consistently improving our security practices, as scammers are surely working hard to improve their attack methods.
In short, if you don’t recognize it, don’t touch it!