|
| 1 | +--- |
| 2 | +title: How to identify scam tokens |
| 3 | +description: Understanding scam tokens, how they make themselves look legitimate, and how to avoid them. |
| 4 | +lang: en |
| 5 | +--- |
| 6 | + |
| 7 | +# How to identify scam tokens {#identify-scam-tokens} |
| 8 | + |
| 9 | +One of the most common uses for Ethereum is for a group to create a tradable token, in a sense their own currency. These tokens typically follow a standard, [ERC-20](/developers/docs/standards/tokens/erc-20/). However, anywhere there are legitimate use cases that bring value, there are also criminals who try to steal that value for themselves. |
| 10 | + |
| 11 | +There are two ways in which they are likely to deceive you: |
| 12 | + |
| 13 | +- **Selling you a scam token**, which may look like the legitimate token you want to purchase, but are issued by the scammers and worth nothing. |
| 14 | +- **Tricking you into signing bad transactions**, usually by directing you into their own user interface. They mignt try to get you into giving their contracts an allowance on your ERC-20 tokens, exposing sensitive information that gives them access to your assets, etc.. These user interfaces might be near-perfect clones of honest sites, but with hidden tricks. |
| 15 | + |
| 16 | +To illustrate what scam tokens are, and how to identify them, we are going to look at an example of one: [`wARB`](https://etherscan.io/token/0xb047c8032b99841713b8e3872f06cf32beb27b82). This token attempts to look like the legitimate [`ARB`](https://etherscan.io/address/0xb50721bcf8d664c30412cfbc6cf7a15145234ad1) token. |
| 17 | + |
| 18 | +<ExpandableCard |
| 19 | +title="What is ARB?" |
| 20 | +contentPreview=''> |
| 21 | + |
| 22 | +Arbitrum is an organization that develops and manages <a href="/developers/docs/scaling/optimistic-rollups/">optimistic rollups</a>. Initially Arbitrum was organized as a for-profit company, but then took steps to decentralize. As part of that process, they issued a tradeable <a href="/dao/#token-based-membership">governance token</a>. |
| 23 | + |
| 24 | +</ExpandableCard> |
| 25 | + |
| 26 | +<ExpandableCard |
| 27 | +title="Why is the scam token called wARB?" |
| 28 | +contentPreview=''> |
| 29 | + |
| 30 | +There is a convention in Ethereum that when an asset is not ERC-20 compliant we create a "wrapped" version of it with the name starting with "w". So, for example, we have wBTC for bitcoin and <a href="https://cointelegraph.com/news/what-is-wrapped-ethereum-weth-and-how-does-it-work">wETH for ether</a>. |
| 31 | + |
| 32 | +It does not make sense to create a wrapped version of an ERC-20 token that is already on Ethereum, but scammers rely on the appearance of legitimacy rather than the underlying reality. |
| 33 | + |
| 34 | +</ExpandableCard> |
| 35 | + |
| 36 | + |
| 37 | +## How do scam tokens work? {#how-do-scam-tokens-work} |
| 38 | + |
| 39 | +The whole point of Ethereum is decentralization. This means that there is no central authority that can confiscate your assets or prevent you from deploying a smart contract. But it also means that scammers can deploy any smart contract they wish. |
| 40 | + |
| 41 | +<ExpandableCard |
| 42 | +title="What are smart contracts?" |
| 43 | +contentPreview=''> |
| 44 | + |
| 45 | +<a href="/developers/docs/smart-contracts/">Smart contracts</a> are the programs that run on top of the Ethereum blockchain. Every ERC-20 token, for example, is implemented as a smart contract. |
| 46 | + |
| 47 | +</ExpandableCard> |
| 48 | + |
| 49 | +Specifically, Arbitrum deployed a contract that uses the symbol `ARB`. But that doesn't stop other people from also deploying a contract that uses the exact same symbol, or a similar one. Whoever writes the contract gets to set what the contract will do. |
| 50 | + |
| 51 | +## Appearing legitimate {#appearing-legitimate} |
| 52 | + |
| 53 | +There are several tricks that scam token creators do to appear legitimate. |
| 54 | + |
| 55 | +- **Legitimate name and symbol**. As mentioned before, ERC-20 contracts can have the same symbol and name as other ERC-20 contracts. You cannot count on those fields for security. |
| 56 | + |
| 57 | +- **Legitimate owners**. Scam tokens often airdrop significant balances to addresses that can be expected to be legitimate holders of the real token. |
| 58 | + |
| 59 | + For example, lets look at `wARB` again. [About 16% of the tokens](https://etherscan.io/token/0xb047c8032b99841713b8e3872f06cf32beb27b82?a=0x1c8db745abe3c8162119b9ef2c13864cd1fdd72f) are held by an address whose public tag is [Arbitrum Foundation: Deployer](https://etherscan.io/address/0x1c8db745abe3c8162119b9ef2c13864cd1fdd72f). This is *not* a fake address, it really is the address that [deployed the real ARB contract on Ethereum mainnet](https://etherscan.io/tx/0x242b50ab4fe9896cb0439cfe6e2321d23feede7eeceb31aa2dbb46fc06ed2670). |
| 60 | + |
| 61 | + Because the ERC-20 balance of an address is part of the ERC-20 contract's storage, it can be specified by the contract to be whatever the contract developer wishes. It is also possible for a contract to forbid transfers so the legitimate users won't be able to get rid of those scam tokens. |
| 62 | + |
| 63 | +- **Legitimate transfers**. *Legitimate owners wouldn't pay to transfer a scam token to others, so if there are transfers it must be legitimate, right?* **Wrong**. `Transfer` events are produced by the ERC-20 contract. A scammer can easily write the contract in such a way it will produce those actions. |
| 64 | + |
| 65 | + |
| 66 | +## Scammy websites {#websites} |
| 67 | + |
| 68 | +Scammers can also produce very convincing websites, sometimes even precise clones of authentic sites with identical UIs, but with subtle tricks. Examples might be external links that seem legitimate actually sending the user to an external scam site, or incorrect instructions that guide the user to exposing their keys or sending funds to an attacker's address. |
| 69 | + |
| 70 | +The best practise for avoiding this is to carefully check the URL for the sites you visit, and save addresses for known authentic sites in your bookmarks. Then, you can access the real site through your bookmarks without accidentally making spelling errors or relying on external links. |
| 71 | + |
| 72 | + |
| 73 | +## How can you protect yourself? {#protect-yourself} |
| 74 | + |
| 75 | +1. **Check the contract address**. Legitimate tokens come from legitimate organizations, and you can see the contract addresses on the organization's web site. For example, [for `ARB` you can see the legitimate addresses here](https://docs.arbitrum.foundation/deployment-addresses#token). |
| 76 | + |
| 77 | +2. **Real tokens have liquidity**. Another option is to look at liquidity pool size on [Uniswap](https://uniswap.org/), one of the most common token swapping protocols. This protocol works using liquidity pools, into which investors deposit their tokens in hope of a return from trading fees. |
| 78 | + |
| 79 | +Scam tokens typically have tiny liquidity pools, if any, because the scammers don't want to risk real assets. For example, the `ARB`/`ETH` Uniswap pool holds about a million dollars ([see here for the up to date value](https://info.uniswap.org/#/pools/0x755e5a186f0469583bd2e80d1216e02ab88ec6ca)) and buying or selling a small amount is not going to change the price: |
| 80 | + |
| 81 | +  |
| 82 | + |
| 83 | + But when you try to buy the scam token `wARB`, even a tiny purchase would change the price by over 90%: |
| 84 | + |
| 85 | +  |
| 86 | + |
| 87 | + This is another piece of evidence that shows us `wARB` is not likely to be a legitimate token. |
| 88 | + |
| 89 | +3. **Look in Etherscan**. A lot of scam tokens have already been identified and reported by the community. Such tokens are [marked in Etherscan](https://info.etherscan.com/etherscan-token-reputation/). While Etherscan is not authoritative source of truth (it is the nature of decentralized networks that there can't be an authoritative source for legitimacy), tokens that are identified by Etherscan as scams are likely to be scams. |
| 90 | + |
| 91 | +  |
| 92 | + |
| 93 | + |
| 94 | +## Conclusion {#conclusion} |
| 95 | + |
| 96 | +As long as there is value in the world, there are going to be scammers who attempt to steal it for themselves, and in a decentralized world there is nobody to protect you except for yourself. Hopefully, you remember these points to help tell the legitimate tokens from the scams: |
| 97 | + |
| 98 | +- Scam tokens impersonate legitimate tokens, they can use the same name, symbol, etc. |
| 99 | +- Scam tokens *cannot* use the same contract address. |
| 100 | +- The best source for the address of the legitimate token is the organization whose token it is. |
| 101 | +- Failing that, you can use popular, trusted applications such as [Uniswap](https://app.uniswap.org/#/swap) and [Etherscan](https://etherscan.io/). |
0 commit comments