All Posts

Protection from Malicious Smart Contracts

blockchainJanuary 29, 2026·#Blockchain

The article analyzes sophisticated attack mechanisms such as Reentrancy, unlimited Approve rights and Proxy techniques that hackers often use to appropriate user assets.

Protection from Malicious Smart Contracts

According to analysis by Tan Phat Digital, the explosion of decentralized finance (DeFi) and decentralized applications (dApps) has brought a revolution in financial autonomy, but at the same time opened a new era for cybercriminals. During 2022-2023, losses from smart contract-related attacks and scams have reached billions of dollars, with reports recording a figure of $3.7 billion in 2022 alone. The most worrying point today is not just unintentional technical vulnerabilities but the rise of contracts designed with "intentionally malicious logic". These entities take advantage of blockchain immutability and users' lack of technical understanding to execute asset misappropriations without reversibility mechanisms. Identifying often-overlooked signs of toxicity requires a thorough understanding of the Ethereum virtual machine (EVM) architecture, token standards, and the operating procedures of block browsers.

The Nature and Execution Mechanisms of Malicious Smart Contracts

A malicious smart contract is more than just a piece of faulty code; they are financial instruments programmed to break assumptions about user safety. One of the core characteristics of smart contracts is that they are self-executing and independent of third parties, which means that once a transaction is triggered, no regulator or bank can intervene to protect the user's interests if an error occurs. Smart Contract Fraud often includes installing "backdoors" that allow project owners to withdraw all assets in the liquidity pool (pool) or prevent users from withdrawing funds through hidden conditions.

See more: What is Smart Contract? Things to know about Smart Contracts

Reentrancy and Distortion Vulnerabilities in Honeypot Contracts

Reentrancy is a classic example of how contract logic can be exploited to drain funds from a protocol. This mechanism occurs when a contract calls an external address (usually the attacker's contract) before it has time to update its internal balance state. In this scenario, the attacker uses a fallback function to call back the victim's withdrawal function multiple times in a single transaction, allowing them to withdraw funds beyond the actual balance.

The danger increases when this technique is used in "Honeypot" contracts. Scammers intentionally deploy a contract that appears vulnerable to the Reentrancy bug to attract developers or vulnerability search bots to deposit funds in the hope of "hacking" the contract. However, the honeypot contract contains additional checks or hidden functions that make withdrawals practically impossible, thereby making the hacker himself a victim. This shows that the risk comes not only from interacting with the dApp, but also from trying to exploit seemingly "bad" contracts on the blockchain.

Common Types of Reentry:

  • Reentry Single Function: A function that is repeatedly called again before the first execution ends. This breaks the integrity of the balance data, leading to unlimited withdrawals.

  • Inter-Function Re-Entry: The attacker uses two different functions but shares the same state. This type is more difficult to detect through single logic testing, requiring analysis of the global state.

  • Inter-Contract Reentry: Occurs when the state of one contract depends on the unupdated state of another contract, often causing system logic errors in complex DeFi protocols.

Violations in Access Control and Minting Logic

One of the most common signs of malware that users often ignore is the presence of admin functions with excessive powers. Functions like mintUnlimitedTokens(), ownerOnlyWithdraw() or variations of the blacklist() function allow contract owners to fully control the fate of their users' assets. A real-life example is the hack of the DMC project, where the mintFromStaking() function lacked an Access Control mechanism, resulting in the attacker being able to mint over 40 million new tokens and drain liquidity on PancakeSwap.

Improper access control is often disguised as technical or seemingly harmless function names. Fraudsters can use tx.origin instead of msg.sender to perform proxy phishing attacks, or use owner change logic (setOwner) hidden deep in obfuscated source code. Users often only see the shiny user interface without checking whether the administrative wallet address is actually locked (renounced) or in the hands of a private wallet capable of manipulating the entire supply.

See also: How dangerous is Approval scam and why so many people fall into the trap

Risks from Token Approval Authority and Sophisticated Phishing Attacks

Token Approval Authority (Token Approval) is the backbone of DeFi transactions, allowing dApps the authority to spend tokens on behalf of users. However, this is also the "Achilles heel" that cybercriminals exploit most thoroughly. When users interact with a decentralized exchange (DEX), they are typically asked to sign a approve transaction. Usually, dApps require Universal Approval permission (Unlimited Approval) so that users do not have to do this operation again and save gas fees for future times.

Unlimited Approval Mechanism and transferFrom Function

Technically, the approve(spender, amount) function records an "allowance" value on the blockchain for a specific contract address. If a user signs an approval with a maximum value ($2^{256} - 1$), the dApp has the right to withdraw the entire balance of that token in the user's wallet at any time via the transferFrom() function. The risk occurs when the dApp's contract is hacked or the dApp itself is a fraud tool. The attacker does not need to hold the user's private key; they simply execute the transfer order based on the permissions the user has previously voluntarily granted.

Risk analysis by approval status:

  • Infinite approval users: Face the risk of losing the entire token balance forever because the allowance value is greater than or equal to the wallet balance, allowing the transferFrom function to execute successfully at any time

  • User approves limit: Only takes a certain amount of approved tokens. The transferFrom function is blocked by the specific signed allowance value.

  • The user only connects the wallet: This state is safe, no assets are lost because no approve transaction has been recorded on the blockchain, the transferFrom command will be reverted (cancelled).

Phishing Trends and Malicious Signatures in Vietnam Nam

In Vietnam, forms of fraud bypassing the approval layer are becoming extremely popular under the name of "Scam Airdrop" or "Fake Tech Support". Fraudsters send strange tokens to users' wallets with a link to a fake website. When users access and attempt to "claim" rewards, they are lured into signing approval requests or Permit signatures (EIP-712). The Permit signature is especially dangerous because it allows token access to be approved without the user having to make an on-chain transaction at that moment, making the victim unaware of the gas fee being deducted and subjective in security.

In addition, "Pig Butchering" - a form of romance and investment fraud - also takes advantage of malicious smart contracts to lock up victims' funds. Victims are instructed to deposit funds into a fake trading platform, where actual funds are transferred directly to the scammer's wallet through a contract that has hidden withdrawal rights set up.

Obfuscation and Proxy: Malicious Contract Cloaking Techniques

To avoid detection by automated scanning tools and security analysts, attackers often use code obfuscation techniques (Obfuscation) and complex Proxy structures. Using misleading function names is a common tactic; for example, a function that is essentially empty of funds (rugPull) but is named safeWithdraw() or emergencyRefund().

Delegatecall and Contract Upgrade Risks

The Proxy model allows one contract (Proxy) to forward execution logic to another contract (Implementation) via commands delegatecall. The key point is that the delegatecall command executes the source code of the target contract but uses the calling contract's storage space. This allows the project owner to change the logical contract address at any time. A project could start with a completely clean contract to pass initial audits, but then "upgrade" to a malicious version to extort user funds.

An attacker could also exploit storage collisions in Proxy structures to change important variables such as the owner address (owner) or transaction control flags. These vulnerabilities are often difficult to detect for ordinary users because on block browsers like Etherscan, they only see interactions with Proxy addresses that do not contain direct malicious logic.

Malicious Smart Contract Testing and Identification Process

Tan Phat Digital recommends that users perform a multi-layer testing process, not just relying on surface information but going deep into on-chain data. Checking the authenticity of the source code is the first and most important step. A verified contract on Etherscan or BscScan will have a green tick icon, allowing the community to review the actual source code.

Liquidity Lock Analysis

Liquidity is the factor that determines whether a user can sell their tokens or not. A malicious project typically performs a “Rug Pull” by draining liquidity from the trading pool. Users can perform a manual check on the block browser by following these steps:

  1. Go to the Token Tracker page of that token on the block browser.

  2. Search for initial liquidity deposit transactions and check the LP (Liquidity Provider) token receiving address.

  3. Confirm whether LP tokens were sent to "burn" addresses or reputable lock contracts credit.

Common liquidity locking methods:

  • Burn Address: Transfer LP tokens to the address ending with dEaD. This is an absolute level of trust because no one can withdraw burned assets.

  • Unicrypt / PinkSale Platform: Uses an intermediary smart contract with a lock-up period. High level of trust, the unlock time can be checked publicly on the platform's website.

  • Dev Wallet (Unlocked): LP tokens are located directly in the programmer's wallet. The level of trust is very low, the project owner can withdraw money at any time to perform Rug Pull.

Audit and KYC Report Appraisal

Just because a project claims to have been audited by units like CertiK or Hacken does not mean it is completely safe. Users must check the authenticity of that report directly on the audit firm's website. A true audit report needs to match the active contract address and source code commits on GitHub. Common signs of fraud include typos, inconsistent design, or links to a personal GitHub page instead of the auditor's official Leaderboard page.

Proactive Defense Tools and Strategies

Manage Approval Permissions with Revoke.cash and Rabby Wallet

Regularly checking and revoking token approvals is an essential security habit. Revoke.cash is a leading tool that allows users to view a list of all dApps that have ever approved and perform a "revoke" or update the approval limit to a safe level. Meanwhile, Rabby Wallet is considered a safe wallet thanks to its built-in risk warning feature, displaying a red notice if a transaction requires approval for an unverified contract or shows signs of maliciousness.

Distinguishing between Disconnect and Revoke

A common mistake is to believe that disconnecting the wallet from the dApp will protect assets. However:

  • Disconnect: Only cancels permission for the website to view your wallet address and balance. It does not affect approval rights recorded on the blockchain.

  • Revoke: Is a true blockchain transaction that removes the dApp's right to spend tokens. This is the only action that can prevent malicious contracts from withdrawing funds from your wallet via the transferFrom command.

Asset Rescue and White-hat Rescue

Once a wallet is compromised by a "Sweeper Bot", withdrawing the remaining assets becomes extremely difficult as the bot automatically drains the gas fees as soon as they are loaded.

Tools rescue and main mechanism:

  • Flashbots: Uses a closed bundle transaction mechanism, does not go through the public mempool. Requires technical knowledge to configure index.js and private keys.

  • Hacked Wallet Recovery: Provides an interface to support automatic bundle creation. Users are required to switch to a special RPC to avoid exposing transactions to the public network.

  • Revoke.cash (Exploit Checker): Check if the wallet is on the list of hacked dApps. This tool only has the effect of prevention and revocation, not saving funds that have been transferred.

10 Frequently Asked Questions (FAQs) about Smart Contract Security

  1. Is just disconnecting the wallet from the dApp safe enough? No. Disconnect only prevents the website from viewing your wallet balance. Authorization permissions remain on the blockchain, allowing the malicious contract to withdraw your funds at any time via the transferFrom command. You must execute the Revoke command to actually revoke access to the asset.  

  2. How to know if a project's liquidity is truly locked? You need to check on the block browser (Etherscan/BscScan). If liquidity tokens (LP tokens) are sent to the burning address (0x...dEaD) or reputable locking contracts such as Unicrypt, PinkSale with a term of over 6-12 months, it is considered safe.  

  3. Why do dApps often request unlimited "Approve" permissions? dApps request maximum permissions (2256−1) to bring convenience and save gas fees for users in future transactions. However, if that contract has malicious code, the hacker can drain all the tokens in your wallet without you signing any additional orders.  

  4. What is a "Honeypot" contract and how to identify it? A honeypot is a type of contract that allows you to buy tokens but installs code that prevents you from selling them. You can identify it by checking on Dexscreener: if the chart has only buy orders (blue) and no sell orders (red), it is definitely a trap.  

  5. What should I do if I discover that my wallet has a "Sweeper Bot"? Absolutely do not add more money to that wallet because the bot will withdraw it immediately. The only solution is to use a tool like Flashbots or Hacked Wallet Recovery to create a closed bundle of transactions to "steal" the assets back before the bot can react.  

  6. Does the Audit report ensure the project is completely unhackable? No. Audit is just an assessment at a certain time. The project can change the logic later through the Proxy model, or hackers can exploit errors that auditors miss.  

  7. How dangerous is a "Permit" (EIP-712) signature? This is an "offline" signature type, does not cost gas but has the same value as the Approve command. Hackers often trick users into signing Permit through fake Airdrop websites to take control of assets without the victim's knowledge.  

  8. How to check the authenticity of a KYC or Audit report? You must directly visit the issuer's website (like CertiK Leaderboard) and search for the project name. Never trust screenshots or PDF links provided by the project itself as they are easily edited.  

  9. Besides Crypto, what types of "Contract Scams" are popular? Common forms include home repair contract scams (requesting a large deposit and then disappearing) and phone contract scams (impersonating the network operator to get personal information to sign up for expensive plans).

  10. Can get money back after it has been withdrawn from the wallet by a malicious contract. no? Due to the immutable and decentralized nature of blockchain, transactions once made are irreversible. The only chance is to report to centralized exchanges (CEX) so that they can block assets if thieves transfer money there.  

The evolution of malicious smart contracts shows that the more complex blockchain technology becomes, the more unpredictable the logical flaws become. The future of Web3 security will shift to a "Continuous Security" model and real-time monitoring. According to experts from Tan Phat Digital, increasing user awareness about approval rights management and self-checking capabilities (DYOR) will be the biggest barrier for cybercriminals. Safety comes not only from clean lines of code, but from the combination of security technology and the alertness of each individual participating in the market.

Share

Comments

0.0 / 5(0 ratings)

Please login to leave a comment.

No comments yet. Be the first to share your thoughts.

Related Posts

Why doesn't running Node help you make money as easily as advertised? | Tan Phat Digital
blockchain2/27/2026

Why doesn't running Node help you make money as easily as advertised? | Tan Phat Digital

Does Blockchain help increase customer trust | Tan Phat Digital
blockchain2/27/2026

Does Blockchain help increase customer trust | Tan Phat Digital

Enterprise Blockchain Deployment 2026: Starting Point & Roadmap for Implementation
blockchain2/27/2026

Enterprise Blockchain Deployment 2026: Starting Point & Roadmap for Implementation

Does Blockchain really prevent internal fraud? | Tan Phat Digital
blockchain2/26/2026

Does Blockchain really prevent internal fraud? | Tan Phat Digital

Integrating Blockchain into the application | Tan Phat Digital
blockchain2/26/2026

Integrating Blockchain into the application | Tan Phat Digital

Can Blockchain replace ERP systems? | Tan Phat Digital
blockchain2/26/2026

Can Blockchain replace ERP systems? | Tan Phat Digital

Blockchain Vietnam 2026: Potential, Challenges and Roadmap for Sustainable Development
blockchain2/25/2026

Blockchain Vietnam 2026: Potential, Challenges and Roadmap for Sustainable Development

Build Your Own or Ready-to-Use Blockchain? Infrastructure Strategy 2026 - Tan Phat Digital
blockchain2/25/2026

Build Your Own or Ready-to-Use Blockchain? Infrastructure Strategy 2026 - Tan Phat Digital