Given the increasing number of scam projects in crypto, and given that most bug bounty and contest platforms, as well as most audits that are conducted, focus on bugs and problems that cause money loss by black hat hackers and malicious individuals. But an important aspect that has received less attention is that some projects seek to defraud and scam their users by placing a malicious code or backdoor or similar in their project code.
My goal is to create a tool and method that can identify scam projects by statically analyzing the code of most projects. This is important for both individuals as investors and for companies investing in these projects.
Solution Overview
This project intends to perform static analysis on almost most of the existing projects written in Solidity language (manually and automatically) and identify scam projects and create a warning list and add identified scam projects to the warning list.
This project focuses specifically on static code analysis and there is almost nothing like it.
Project Description
This project consists of several parts:
A main part that performs static analysis and looks for all dangerous items in the code. (Here, you can analyze both the project’s GitHub and the various networks where the projects are deployed and even the source code that we have locally)
Another part is a search engine with which you can search for a project in various ways
A warning list where identified scam projects can be added and people can search for their desired project in it before investing and if there is a warning in this list, they can examine the project more carefully or even go to another project.
Users, whether as individuals or investing companies, can search for their desired project in various ways (project source code or GitHub or project smart contract link) and analyze it to see the results or they can even search for the project name in the warning list
One of the results of this project in its early stages is the identification of a scam project that is among the first 100 projects on the coinmarketcap site. The goal of this project is to rug pull, and its report will be published soon.
Starting from the concept that scams are out there, I do believe the idea is definetely powerful and I do like it. I would love to see how this turn into a Web3 dApp.
This tackles a huge blind spot in current security practices. Most tools focus on external threats, but very few catch intentional internal scams baked into the code
Yes, that’s right. In fact, the goal is to identify scam projects and help people make safe investments, and also to prevent people from losing their money and assets as much as possible. Even on a bigger scale, I’m thinking about investment companies so that we can help them too.
Thank you for your attention and consideration to this project.
I think a great tool was initially a small tool that gradually added more features to it. The work I started is still in its early stages and I’m trying to gradually add more important and useful features to it.
The point that I am very excited about is that with this main feature, I was able to identify a scam project that is among the top 100 projects on the coinmarketcap site that is planning to be a rug pull and I sent its report to several relevant institutions and I also think it would be great if I could publish it in a security magazine. I am trying to do the necessary things as quickly as possible so that the necessary warning about this project is publicly published and we can prevent this scam with several institutions.
As you rightly pointed out, this is a big problem and I happened to be looking for a solution to it because I faced the same problem. After I identified the scam project I mentioned above, I first reported it to the project team on a bug bounty platform and I thought that since it is inside the platform, it will definitely be taken care of, but I was wrong and the project team said that we need this backdoor and I asked the platform for mediation and after reviewing, they said that what I suggested is correct and the POC is also correct but since the project team says that we need that piece of malicious code, we can’t do anything (it is very clear what they need this malicious code and backdoor for. To be more clear, they can transfer any user’s assets to any address they want at any time without having sufficient permission and allowance). The platform simply did nothing.
After this incident I decided to send the full report to several entities maybe they can prevent this rug pull. I even tried to contact the exchanges that listed it and warn them but only two of them responded and the rest did not even reply to my message and this is very unfortunate. Even those who responded one tried to connect me with the project team and the other said that it is none of our business what they are pursuing. It was very strange to me that they only care about money and not even about their own reputation.
In the first months when I started the project, some issues were very clear to me on how to move forward, for example, I wanted it to be very easy to use so that all users at any level could use it. One of the additional features in my opinion was this warning list. Initially, I was thinking of adding a scam project to the warning list when it is found after static analysis of a project’s code. This list will be updated over time. I also thought of publishing it in any way and on any platform so that as many people active in crypto as possible can see it. As a result, I thought that perhaps one of the appropriate methods is that if we can collaborate with other projects such as tools and extensions and even platforms and … so that this warning list can be integrated with them, we can do a better job of informing and helping people to have a safe investment.
Considering that it is always said that before investing in an asset, you must become familiar with it and research it, and some people never do this. As a result, one of the goals of creating an warning list is to help these people, so if we can integrate this list with more tools and platforms, we will get closer to our goals. This feature is not yet implemented and is on the to-do list.
About the interesting point you mentioned DAO voting process, what is your goal with this? Do you think this should be done for all scam projects that are found? Or if there was a discussion about the maliciousness of a piece of code and we doubted that it could really lead to dangerous results, should we vote on it? Would you please give an example of a piece of code that was questionable about its maliciousness?
Thank you for the detailed explanation, really appreciate how thoughtfully you’re approaching this
I completely agree with your vision of making the warning list widely accessible by integrating it with tools, launchpads, and platforms. That kind of visibility can really make a difference, especially for retail users who may not do in-depth research themselves.
Thank you this project addresses a clear and critical need in the space.
I’d like to ask a question:
Scam projects are often well-hidden and may not be detectable through static analysis alone. Do you have plans to include behavioral or on-chain activity analysis in the future, or will the project remain focused solely on code analysis?
There have been several examples of this type of scam projects in the last few years that if their code had been carefully examined and analyzed, they could probably have been prevented.
But as you rightly pointed out, some projects do not have malicious code in their source code, but by analyzing team behavior and on-chain analysis, etc., we discover frauds such as pump and dump.
To make the project more complete and with a long-term perspective, I think such a service should be provided alongside this tool, but as is clear and you know, these two use different methods, but the results of these two can be shown to the user in a dashboard and thus obtain a more comprehensive view. Also, if a scam project is discovered as a result of this analysis, it can be added to the warning list.
In the short term, given the many features I would like to add to this project, I will try to advance this project to a suitable point, implement most of these features, and then start working on that other method and service.
