Smart Contract Functions – How to Spot a Scam

Read 6 min
Key Takeaways:
— Smart contract functions are instructions to the blockchain. They allow us to approve particular interactions between our wallets and third parties, like NFT platforms and DeFi services

— Many people aren’t sure how to interpret these functions – so they confirm the transaction based on trust, without really verifying what they’re signing. This blind spot is a huge opportunity for scammers.

— Scams based on erroneous smart contract approvals are on the rise! It has never been more important to know what you’re signing.

— Here, we walk you through how to spot a red flag, so you don’t get scammed yourself.

Smart contract functions are currently the #1 way scammers are tricking people out of their hard earned crypto and NFTs – don’t you think it’s time you learned how to read them?

The crypto space is filled with new opportunities and new types of interaction – and most of it is powered by the humble smart contract. Smart contracts are what dictate your wallet’s interaction with Web3 platforms and services, giving you unprecedented freedom to use your digital assets, and unlocking an entirely new digital universe powered by the ownership of your private keys.

But with this freedom comes a heavy new responsibility for you. In the unfamiliar terrains of crypto-land, users are more vulnerable to mistakes than usual: it’s new, it moves quickly, and the often complex UX of Web3 makes it more difficult than normal to interpret what each interaction means. In short, Web3 is a tricky space where real value is on the line for you – and scammers are waiting in the wings for your to make a mistake.

Being able to spot red flags as you interact with Web3 is an essential skill if you don’t want to get conned. And it isn’t as hard as you might expect – it just takes a little guidance.

In this article, we walk you through some of the key smart contract functions you’ll encounter as you interact, what they mean – and how to spot a scam when you see one.

What is a Smart Contract Function?

Let’s start with the basics – what exactly is a smart contract function?

Put simply, functions are pieces of code within a smart contract that allow it to carry out specific actions – “calling a function” initiates a given interaction between your wallet and whichever platform you’re using.

Interacting with smart contracts is a non-negotiable part of Web3, and smart contracts are not inherently dangerous. 

But, like any real-life scam, context is everything and it’s all about being able to spot the red flags that show something’s not quite right. 

Smart Contract Function Red Flags: A Glossary

In order to navigate Web3 safely, there are a few key smart contract functions you should be familiar with. So let’s cover each one in turn, explaining its function, associated scams and how to detect danger for yourself.

1) SetApprovalforAll

Set approval for all is a function you’ll encounter fairly regularly as you engage with Web3, so it’s important to understand it. You’ll most commonly see this function when you list your NFTs for sale on a marketplace, and its purpose is simple: it allows that marketplace to move your NFT out of your wallet, and into someone else’s, whenever it is sold.

Makes sense right? But this has some repercussions too.

Risks associated with SetApprovalforAll

The SetApprovalforAll function may well be very common – but it’s also a pretty risky interaction for you as a user, because its scope is just so wide.

Approving this function means giving the platform you’re interacting with access to all of the ERC20 tokens or NFTs of a given smart contract within your wallet – and as an open-ended agreement, this applies to all future tokens from those smart contracts that come into your wallet. 

It’s sort of like writing a blank cheque for a friend. You’re essentially saying  “I trust this platform to do what it says it will, and to act within the limits I’m expecting”. But what if you make a mistake?

Scams – and how to detect them

SetApprovalforAll is a big-hitter when it comes to crypto scams, so it’s essential to be able to identify the times when it’s safe to sign – and when something’s off.

The only time you should encounter this message is when you’re listing your NFT on a marketplace or interacting with a DEX. This makes sense, since you need to give that platform permission to move tokens from your wallet when they are sold or traded. But outside of these situations, seeing this smart contract function should raise alarm bells.

Always ask yourself the question: why am I transferring access to my tokens to someone else? Thinking of it in this way makes it easier to judge whether the transaction is legitimate.

Minting an NFT? – you should not see this function.

Buying an NFT? – you should not see this function.

Signing up for an allow list? – you guessed it – you should NOT be seeing this function!

Now you understand just what it means to sign this type of transaction, you’re qualified to assess each situation where it pops up, and decide for yourself if it’s a red flag.

2) SafeTransferFrom

Another very common smart contract function you may encounter is SafeTransferFrom – this message will appear during any transaction where you’re sending an NFT from your own wallet to another wallet. 

Let’s say, for example, you just bought yourself a Ledger, and you want to send the NFTs from your existing hot wallet to the secure new Ethereum account of your Ledger Nano – you’d see SafeTransferFrom appear on your hot wallet, and you’d need to confirm it. Which makes complete sense in this context.

Risks associated with SafeTransferFrom

The problem arises when you encounter this function in other situations – remember, what you’re confirming here is that you want to send an NFT to another wallet, and unless that wallet is yours, there are few situations where you’d want to do this.

Scams – and How to Detect Them

So what kind of scams are using this function call to trick people out of their crypto? 

A recent example saw the Momoco website offer a free mint for its NFTs, driving hopeful degens to the site, hoping to claim the mint. The problem? There was no mint.

Instead, hitting the “mint” button brought up a SafeTransferFrom call (which users approved thinking it was part of the minting process, thanks social engineering!). This gave the contract approval to transfer an NFT out of the target wallet – resulting in hundreds of people losing a non-fungible to the scam.

How could those people have spotted the scam, before getting caught up in it?

Remember, with smart contract function calls, the only thing that will definitely happen is what’s written in the function box – in this case, a transfer from one wallet to another.

This is an instant red flag: if you’re minting, you should see a function call for “minting”, not a transfer. In this case, the transaction clearly shows a transfer. The NFT is also moving from a Ledger wallet to another wallet address – meaning your wallet is sending an NFT, not receiving it.

In short, a quick look at the details of the function call – including checking the type of interaction you’re confirming, and the direction of the transfer – will allow you verify the transaction, rather than trusting the circumstances.

3) SendEth

And finally! If you’ve interacted on Web3, chances are you’ve already seen the SendEth function – it literally means that you’re sending Ether to another wallet. This could be because you’re sending Eth between different wallet addresses of your own (if you just bought a Ledger, for example, and are transferring your funds to safety), or if you’re making a purchase on a marketplace.

Risks Associated with SendEth

But if you’re unlucky, you might also see this function pop up where you aren’t expecting it. During an NFT mint is a great example – here, users believe they are minting, when in reality they are just transferring their funds to another address. 

Scams and how to detect them

You can see this not just by looking at the function call (which should have said “mint” if it were truly a mint) but also by looking at the receiving address at the top right – minting is a direct transaction with the blockchain itself, not another wallet, so once agan the presence of a  receiving address here should be another big red flag.

Smart contract scams: don’t trust – verify

So there you have it: a glossary of the key smart contract functions (and their risks) you might encounter as you engage with Web3.

Now that you know the meaning of these different functions, the associated scams probably seem quite obvious – but the power of social engineering can be pretty potent, especially when coupled with the tricky new norms of Web3. That’s why it’s so important to arm yourself with knowledge before you start your journey.

So go forth, keep learning and enjoy immersing yourself in the endless possibilities of Web3! The power is in your hands, and Ledger Academy is here to make sure it stays that way.

Knowledge is power


Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]