Open in app

Sign in

Write

Sign in

Hacking Etherscan : fake contract verification

Alain | Web3hackingLabs
3 min readSep 1, 2022

Welcome to the episode 3 of Etherscan “Hacking”.

Most of people trust Etherscan to see if a smart contract is “verified”, to see transfers lists, token balances, holders and so on… in order to assess if the smart contract is “safe”.

If the contract on Etherscan is marked as verified, then it should be open-source and “trustable”, right?

No, this is wrong and we will see why.

Using a proxy

Most of you already heard that any smart contract in Ethereum can be up-gradable without modifying the address.

This is TRUE, by using a proxy.

Here is how a it works:

  1. You deploy a PROXY smart contract, his address is let’s say 0x01.
  2. You deploy the implementation, address is 0x02.
  3. Every time someone calls the smart contract 0x01, the call is “redirected” to the fallback() function of 0x01 which delegatecall to 0x02
image source: https://mycelium.xyz

4. Let’s say, you‘ve made a mistake in the contact 0x02, you can redeploy one another at address 0x03 and now you can set the proxy to delegate next time to 0x03.

The 0x02 address is discarded, and people still interact with the same contract. (0x01)

This is a very simplified explanation, but this what you need to know :)

To summarize: proxies are useful to make smart contract upgradable.

Now let’s say, you have token under a proxy, and you want to verify on Etherscan your token, what will you do?

You can submit the token solidity code on Etherscan, but it wont match…

Why?

Because there is a proxy, you need to specify the proxy code instead.

Only the proxy is verified, without verifying the TRUE code.

So how hackers can use this “trick”?

“This contract is verified so it should be safe”

People will think that the smart contract is verified, but in reality only the proxy code is verified!

This can give to the user a false sense of security especially if the smart contract is a scam.

How hackers can “improve” this attack ?

  1. When you click on the contract button, you can see “contract name: ERC1967 proxy” (Example is above). So it’s easy to see that this is a proxy contract.
    But you can create your own proxy too by using the transparent proxy. pattern: https://blog.openzeppelin.com/the-transparent-proxy-pattern/
    It’s possible to change the contract name too and add “fake functions” to the smart contract.
  2. Even trickier, a malicious actor can use proxy chains (a proxy, which delegateCall to a proxy, which delegate to the contract) in order to “hide” the code and make it a bit more difficult to see what’s going on in the contract.

Conclusion

Don’t blindly trust a smart contract even if it’s verified on Etherscan, always check the code to be sure that you’re not interacting with a proxy.

➕ Want to learn More about Ethereum ?

▶▶▶ Follow me on twitter: https://twitter.com/TrustChain_DEFI or in medium.

Solidity
Solidity Contract Audit
Smart Contract Ha
Etherscan
Ethereum Hacking

--

--

Alain | Web3hackingLabs

Written by Alain | Web3hackingLabs

2.3K Followers

Smart contract Auditor & Cybersecurity engineer, follow me on Twitter to get more value: https://rebrand.ly/twitter_medium

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams