top of page

Digging into a resurfaced nasty crypto scam 🚩

Web3 has secured its place as home of scammers, with a constant supply of new schemes and rotation of old ones. Today we’ll take a look at the “frontrunning bot“ scam that was popular in February but has gotten a brush up yesterday (28/07) and has already scammed thousands of dollars.

There are a ton of twitter bots tweeting about “Uniswap frontrunning” and linking to This channel has over 13k fake subscribers and bots saying how they are greatful for the money it is generating for them.

Essentially what the scammer tells you is to open Remix compiler (from a fake link), paste the bot script contract from their pastebin link, deploy it via metamask and call the start()function to start running the bot. The withdraw() function sends profits back to the contract owner.

The scam uses the scammer's Remix rather than the official one because there is warning label about these kinds of attacks:

Now, anyone with decent understanding of crypto would know it is impossible to program a frontrunning bot as a contract, but the scam is directed towards inexperienced users. For entertainment, we can take a look at some of the bot mumbo-jumbo:

The only actual relevant piece of code in the bot is:

So both start() and withdrawal() send the money from this contract to manager.uniswapDepositAddress(). Historially, manager was a contract imported via ipfs:

import "ipfs://QmQffiNgHxU1tcGdkbTLqonWWRuiaxPDFpTaCUaDHWXUHg"

This file is obfuscated but eventually contains the scammer’s address.

What caught my eye recently though is that the bot script now (28/07) contains only “innocent” imports:

// Import Libraries
import "";
import "";
import "";
import "";

This made me start digging deep into the fake Remix website, looking for injection of some dependency which would define manager. After spending a while debugging the compilation engine, I didn’t see anything out of the ordinary.

This made me take another look at how dependencies resolve in Remix. Turns out, if there is no URL scheme, the link resolves to an npm package. Indeed, if we take a look at the package:

This package contains 16k lines of commented out code but it does eventually define the uniswapDepositAddress():

return 0x6683968268fB2a9C31FE43af9C2c3b079a015cB7;

The faster and hassle free way to get the scammer’s address is to deploy the contract in the JS local EVM and call the uniswapDepositAddress(). But I was curious where the manager slipped in.

Sadly, we can see the scammer is making a lot of money using this new scheme:

Because blockchains are transparent, we can follow the story of each victim, how they moved money from some exchange to their meta-mask wallet, created the bot contract and transfered funds to it:

Some conclusions:

  1. Scammers can easily spin up youtube / twitter accounts and flood them with tens of thousands of fake followers.

  2. They are findings new ways to become less suspicious.

  3. Always do your own research, and follow the “if it’s too good to be true, it usually is” mantra.


Recent Posts

See All

The story of the 0-day crit that wasn't

Yesterday I was taking a look at oasisDEX, a trading dApp from the MakerDAO team. With a 10-100K crit bounty on Immunefi and a team with solid rep, it was worth checking out. The dApp follows a common


bottom of page