background
Recently, user X @roffett_eth tweeted that there are many ERC20 honeypot tokens in the trend list of the GMGN website. Even if these tokens are marked as "Everything is SAFU", please be vigilant because the scammers have not completed the entire Rug process. Cos, the founder of SlowMist, said that this situation not only occurs on GMGN, but also on DEXTools and DEX Screener. Based on this, this article will analyze the common methods of Pixiu disk to commit evil, list its characteristics, so that users without technical foundation can also master some ability to identify Pixiu disk and avoid financial losses.
(https://x.com/evilcos/status/1838874085641859321)
Pixiu disk risk analysis
Some time ago, we explained the reasons why users fall into Pixiu Pan and the typical routines of Pixiu Pan in the Web3 Security Beginner's Guide to Avoiding Pitfalls|Pixiu Pan Scam. Today, we will take several Pixiu Pans as examples to see the specific malicious methods of Pixiu Pan.
We know that Burn is usually a legitimate operation used to permanently destroy tokens, thereby reducing the circulation. However, in the Pixiu scam, malicious developers used privileged addresses to call the Burn function and maliciously designed the Burn operation so that it could destroy tokens in the user's wallet without the user's consent, with an effect similar to stealing tokens. In this way, malicious developers can reduce the number of tokens held by users, while exploiting other loopholes or means in the contract to manipulate market prices or token circulation to achieve profits. For example, the Xiaopang token on Solana (6JCQ8Bsx8LcmE8FVsMrDVhXJ9hJYaykTXsoVN67CLsSX) is a typical case:
(https://solscan.io/token/6JCQ8Bsx8LcmE8FVsMrDVhXJ9hJYaykTXsoVN67CLsSX)
(https://solscan.io/tx/FnHT9joQPGsap7T5e41h462m3tSKJ4NZPCVvF7Cd3Ucd3mP7U3D5UQxwqKPciR3YMrsDE8p4F4rMVcvi9x1WWVr)
Let’s take a look at the BIGI DAO token (0x8384De070d4417fDf1e28117f244E909C754bCFf) on Base. Using the risk detection tool to search, we can see that it has been marked as a Pixiu disk.
After analyzing its contract code, it was found that the permit function of the Pixiu disk will give priority to verifying the address that initiates the signature verification transaction when verifying the user's signature. If this address is a special address preset by the Pixiu disk, the signature verification process can be directly bypassed. In this scenario, malicious developers can forcibly obtain the authorization of tokens by modifying the permit function of tokens, and then transfer user assets.
Code example:
With the rapid development of the TON chain, it has naturally attracted many malicious developers to lay out Pixiu plates on it, such as the JOPER token (EQDUQksb6Fa7w42hzP-HzUxiArWfK0Ck_HMPYuewW5Cd5_dv). However, since the TON chain is relatively new, there are currently few tools that support risk detection of its tokens. We checked the risk detection results of the token on OKX and found that it has been marked as high risk and is suspected to be a Pixiu token:
By analyzing the contract code of the token, we found that malicious developers can control the holder's transfer rights, and the token has the function of issuing additional tokens. For users without technical background, they can use AI tools to check whether there are suspicious points in the code, so as to find related risks, such as:
How to avoid falling into the Pixiu plate
Many new users like to choose target tokens based on the platform's transaction volume rankings. Malicious developers understand this and take advantage of it. They simulate transactions and positions through multiple addresses to push up the ranking of Pixiupan to attract users to trade. If users do not discern more, they are likely to fall into the Pixiupan scam and lose their funds. Therefore, the SlowMist Security Team recommends users to:
1. 开启⾏情榜单⻛险过滤
For the list recommendations, users can enable the risk screening function to filter out tokens with higher transaction risks such as Pixiu Coin in the list.
It should be noted that this screening is necessary, but it is not sufficient to completely exclude the Pixiu disk. After all, the scope of detection cannot guarantee that all risk points are covered, and as the risk detection tool Honeypot prompts, "Just because it is not a honeypot now does not mean it will not change in the future." Therefore, users should not take it lightly at this step.
2. Use a platform with risk warnings
一些平台发现用户待交易的代币为貔貅盘等⾼⻛险代币,便会发出警告,同时禁⽌⽤⼾交易,这一功能构成了保护用户资金的最后一道防线,因此,建议用户选择使用有风险提醒的平台进行交易,降低落入貔貅盘的概率。
3. Refer to the risk description
Many trading platforms and risk monitoring tools will list the detection items and hits for users. Referencing this information can help users improve the accuracy of identifying Pixiu disks. Users should focus on the following risk characteristics:
Whether the contract authority has been abandoned: Some token contracts will be forged as "abandoned", but in fact the code can still be updated to turn it into a Pixiu disk.
Is there a trading suspension function? This function may cause all token buying and selling transactions to be suspended.
Whether to retain the authority to modify transaction taxes: If the transaction tax is too high, the token will not be able to be traded normally.
Is there a blacklist/whitelist mechanism: Malicious developers can add user addresses to the blacklist, making it impossible for users to sell tokens, or add their own addresses to the whitelist, thereby selling tokens and making a profit when other users cannot operate.
4. Be skeptical and verify
The above methods are all based on the principle of maintaining a skeptical attitude and multi-tool verification. Due to the different detection methods, focus, and coverage of chains of various risk detection tools, as well as the uncertain lurking time of malicious developers, it is recommended that users refer to the detection results of multiple tools before trading. The following are some commonly used risk detection tools:
Honeypot: https://honeypot.is/
Token Sniffer: https://tokensniffer.com/
OKX: https://www.okx.com/zh-hans/web3/dex-market
GoPlus: https://gopluslabs.io/token-security
De.Fi: https://de.fi/scanner
Author | Liz
Editor | Liz
