Smart Contract Functions – How to Spot a Scam

Smart contract functions are currently the #1 way scammers are tricking people out of their hard-earned crypto and NFTs – Don’t you think it’s time you learned how to read them?

Interacting with smart contracts is a non-negotiable part of Web3.  In fact, Smart contracts power some of our best loved crypto apps and platforms and dictate your wallet’s interaction with them. In short, they opened up the door to a new kind of digital freedom in the decentralized world.

But with this freedom comes a heavy new responsibility. When exploring something unfamiliar, you’re unaware of the risks involved. It’s natural for beginners to feel overwhelmed with often complex UX and wallet knowledge needed. 

This, along with an incredible amount of value on the line, means web3 is a breeding ground for scammers and bad actors. To be brutally honest; not every blockchain app and platform you may come across is honest, and not all of them are kind either. 

While smart contracts are not inherently dangerous, interacting with them does involve some risk. So what happens when you interact with a malicious smart contract?

In this article, we walk you through some of the key smart contract functions you’ll encounter as you interact, what they mean—and how to spot a malicious smart contract function when you see one.

But before we get there, let’s start with the basics: What exactly is a smart contract function in the first place?

What Is a Smart Contract Function?

Put simply, smart contract functions are pieces of code that allow smart contracts to carry out specific actions. “Calling a function” initiates a given interaction between your wallet and whichever web3 platform you’re using. In other words, approving one of these functions will allow the smart contract to carry out a specific task involving your wallet. 

Why Understanding Smart Contract Functions Is So Important

Interacting with a blockchain app means interacting with smart contracts, and that’s why it’s so important to know a malicious smart contract function when you see one. See—not every blockchain platform has your best interests at heart, and some scammers will go quite far to get your hard earned digital assets.

To cut to the point: Some smart contracts may include functions designed to steal your assets. Using malicious smart contract functions, and a little bit of social engineering, scammers manage to get away with countless valuable digital assets each and every day. That’s why it’s so important to know what to watch out for.

So, in order to navigate Web3 safely, there are a few key smart contract functions you should be familiar with; SetApprovalForAll, SafeTransferFrom and SendETH. Although none of these particular functions indicate you may be interacting with a malicious contract, it’s important to know when you’d expect to see each one.

It doesn’t stop there, though—there are many more smart contact functions to know if you want to become a blockchain expert. 

But first, let’s explore the basics of smart contract functions, and how bad actors might use them to steal your assets.

What Is SetApprovalforAll?

SetApprovalForAll is a function you’ll encounter fairly regularly as you engage with Web3. You’ll most commonly see this function when you list your NFTs for sale on a marketplace. It’s purpose is simple: It allows that marketplace to move your NFT out of your wallet, and into someone else’s, whenever it is sold.

Makes sense, right? But this has some repercussions too.

The SetApprovalforAll function may well be very common, but it’s also a pretty risky interaction for you as a user – its scope is just so wide.

Approving this function means giving the platform you’re interacting with access to all of the ERC20 tokens or NFTs of a given smart contract within your wallet. Not only that, it’s an open-ended agreement, meaning it applies to all future tokens from those smart contracts that come into your wallet. 

It’s sort of like writing a blank cheque for a friend. You’re essentially saying  “I trust this platform to do what it says it will, and to act within the limits I’m expecting”.

As such, SetApprovalforAll is a big-hitter when it comes to crypto scams. Thus, it’s essential to be able to identify the times when it’s safe to sign—and when you could be interacting with a malicious smart contract.

How To Detect Malicious SetApprovalforAll Functions

The only time you should encounter this message is when you’re listing your NFT on a marketplace or interacting with a DEX. This makes sense, since you need to give that platform permission to move tokens from your wallet when they are sold or traded. But outside of these situations, seeing this smart contract function should raise alarm bells.

Always ask yourself the question: why am I transferring access to my tokens to someone else? Thinking of it in this way makes it easier to judge whether the transaction is legitimate.

But to keep it simple:

Minting an NFT? – You should NOT see a SetApprovalforAll Function

Buying an NFT? – You should NOT see a SetApprovalforAll Function

Swapping or Transferring an NFT? You should NOT see a SetApprovalforAll Function

Signing up for an allow list? – You should NOT see a SetApprovalforAll Function

Now you understand just what it means to sign this type of transaction. You’re qualified to assess each situation where it pops up, and decide for yourself if it’s a red flag.

What Is SafeTransferFrom?

Another very common smart contract function you may encounter is SafeTransferFrom. This message will appear during any transaction where you’re sending an NFT from your own wallet to another wallet. 

Let’s say, for example, you just bought yourself a Ledger, and you want to send the NFTs from your existing hot wallet to the secure new Ethereum account of your Ledger device. You’d see SafeTransferFrom appear on your hot wallet, and you’d need to confirm it. In this context, a SafeTransferFrom function makes complete sense.

The problem arises when you encounter this function in other situations – remember, what you’re confirming here is that you want to send an NFT to another wallet, and unless that wallet is yours, there are few situations where you’d want to do this.

How To Avoid Malicious SafeTransferFrom Functions

So what indicates if a SafeTransferFrom approval is from a malicious smart contract or not? Well, firstly, you should always ask yourself the question: why am I transferring access to my tokens to someone else?

But to keep it simple:

Minting an NFT? – You should NOT see a SafeTransferFrom Function

Buying an NFT? – You should NOT see a SafeTransferFrom Function

Signing up for an allow list? – You should NOT see a SafeTransferFrom Function

The only time you should see this function is when you are transferring an NFT!

What Is The SendEth Smart Contract Function?

If you’ve interacted with Web3, the chances are you’ve already seen the SendEth function. Simply, it means that you’re sending Ether to another wallet. You could be sending Eth between different wallet addresses of your own. Or, you could be making a digital purchase on a marketplace. In these cases, seeing the SendEth function would be completely appropriate.

How To Avoid Malicious SendEth Functions

Minting/Buying/Selling/Transferring or swapping an NFT? – You should NOT see a SendEth Function

The only time you should see this function is when you are Sending ETH to your wallet or someone else’s!

But if you’re unlucky, you might also see this function pop up where you aren’t expecting it. During an NFT mint is a great example – here, users believe they are minting, when in reality they are just transferring their funds to another address. 

The first thing you should check is the function call. 

You can see this not just by looking at the function call (which should have said “mint” if it were truly a mint) but also by looking at the receiving address at the top right – minting is a direct transaction with the blockchain itself, not another wallet. So once again the presence of a receiving address here should be another big red flag.

Example of a Malicious Smart Contract

So what happens when you don’t identify a malicious smart contract and just approve its function anyway? 

Well, a good example of a malicious smart contract in action was with the Momoco NFT project. This project offered a free mint for its NFTs, driving hopeful degens to the site.

The problem? There was no mint.

When the users hit the “mint” button, it brought up a SafeTransferFrom call. Many users approved this malicious smart contract function, incorrectly assuming it was part of the minting process….Thanks social engineering! 

Approving this function allowed the contract to transfer an NFT out of the target wallet. There were hundreds of victims of just this single non-fungible scam, with a single malicious smart contract.

Malicious Smart Contracts: How To Avoid The Unknown

Remember, with smart contract function calls, the only thing that will definitely happen is what’s written in the function box. Bad actors will try to use social engineering to try and distract you. But remember—Any other function than the one you’re expecting should be an instant red flag. 

If you’re minting, you should see a function call for “minting”, not a transfer. If you’re transferring, you shouldn’t see a SetApprovalForAll function. Whatever smart contract function it is, make sure you check its details- including checking the type of interaction you’re confirming, and the direction of the transfer. This will allow you to verify the transaction, rather than trusting the circumstances.

Now that you know the meaning of these different functions, the associated scams probably seem quite obvious. But don’t be fooled—the power of social engineering can be pretty potent, especially when coupled with the tricky new norms of Web3. 

That’s why it’s so important to arm yourself with knowledge before you start your journey.

Knowledge is Power.