Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

From Programming Bugs to Multimillion-Dollar Scams: An Analysis of Trapdoor Tokens on Uniswap

Phuong Duy Huynh, Thisal De Silva, Son Hoang Dau, Xiaodong Li, Iqbal Gondal, Emanuele Viterbo

TL;DR

Trapdoor tokens on Uniswap pose a substantial investor risk by enabling purchases while blocking sells through malicious contract logic. The authors introduce TrapdoorAnalyser, a three-component framework combining Buy-and-Sell checks with a Contract-Semantic analysis to reliably detect Trapdoor tokens and generate a large ground-truth dataset; they further train ML detectors using both exchange and opcode features to identify Trapdoor tokens even when source code is unavailable. They provide a five-category taxonomy of Trapdoor techniques, demonstrate superiority over the GoPlus tool, and show that the combined dataset and models enable high-accuracy detection for unseen tokens. The work offers practical infrastructure for defenders, auditors, and researchers to analyze, detect, and understand Trapdoor scams across UniswapV2 and beyond, with clear pathways to extend to other DEXs.

Abstract

We investigate in this work a recently emerged type of scam ERC-20 token called Trapdoor, which has cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but preventing them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes, accompanied by a detailed analysis of representative scam contracts. In particular, we developed TrapdoorAnalyser, a fine-grained detection tool that generates and crosschecks the error-log of a buy-and-sell test and the list of embedded Trapdoor indicators from a contract-semantic check to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy, but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy even Trapdoor tokens with no available Solidity source codes.

From Programming Bugs to Multimillion-Dollar Scams: An Analysis of Trapdoor Tokens on Uniswap

TL;DR

Trapdoor tokens on Uniswap pose a substantial investor risk by enabling purchases while blocking sells through malicious contract logic. The authors introduce TrapdoorAnalyser, a three-component framework combining Buy-and-Sell checks with a Contract-Semantic analysis to reliably detect Trapdoor tokens and generate a large ground-truth dataset; they further train ML detectors using both exchange and opcode features to identify Trapdoor tokens even when source code is unavailable. They provide a five-category taxonomy of Trapdoor techniques, demonstrate superiority over the GoPlus tool, and show that the combined dataset and models enable high-accuracy detection for unseen tokens. The work offers practical infrastructure for defenders, auditors, and researchers to analyze, detect, and understand Trapdoor scams across UniswapV2 and beyond, with clear pathways to extend to other DEXs.

Abstract

We investigate in this work a recently emerged type of scam ERC-20 token called Trapdoor, which has cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but preventing them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes, accompanied by a detailed analysis of representative scam contracts. In particular, we developed TrapdoorAnalyser, a fine-grained detection tool that generates and crosschecks the error-log of a buy-and-sell test and the list of embedded Trapdoor indicators from a contract-semantic check to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy, but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy even Trapdoor tokens with no available Solidity source codes.
Paper Structure (28 sections, 13 figures, 10 tables, 2 algorithms)

This paper contains 28 sections, 13 figures, 10 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Ethereum Smart Contract and ERC-20 Token
  4. Decentralised Exchange
  5. Token Exchange on Uniswap
  6. Trapdoor Tokens on UniswapV2
  7. Definition of Trapdoor Tokens
  8. Trapdoor and Honeypot
  9. Token and Pool Datasets on UniswapV2
  10. Collecting Samples of Trapdoor Tokens
  11. Trapdoor Techniques Classification
  12. Trap Placement and Concealment
  13. A Reliable Trapdoor Detection Tool and a Large Trapdoor Dataset with Ground Truth
  14. Buy-and-Sell Check
  15. Contract-Semantic Check
  16. ...and 13 more sections

Figures (13)

  • Figure 1: Interaction flow in a UniswapV2 exchange pool.
  • Figure 2: The execution of a Trapdoor scam in four steps. An investor can buy the scam token from the exchange pool using a high-value token but cannot sell it back.
  • Figure 3: The number of tokens and pools on UniswapV2.
  • Figure 4: Exchange permission example: AquaDropsAquaDrop.
  • Figure 5: Exchange suspension example: Connectiveconnective.
  • ...and 8 more figures

Theorems & Definitions (2)

  • Definition 1: High-value Token
  • Definition 2: Trapdoor Token