Can scammers steal money using smart contracts?

[btcrevolution]

For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

I use MetaMask as a hot wallet. This app is very popular and many scammers steal money from MetaMask. Sometimes they steal it without seed phrase, trojans, viruses etc. But users say that they sign some contracts and lose their funds.

Many thanks to all your answers, my crypto friends !

[1714783911]

1714783911

[1714783911]

1714783911

[1714783911]

1714783911

[1714783911]

1714783911

[1714783911]

1714783911

[mk4]

For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds?

Yes, they can. If you execute a contract without knowing that it was a scam site, then they can steal your funds.

If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

Always make sure you're in the correct website. And if you're extra paranoid, always check the project's social media accounts so you're updated if there's a recent exploit or whatever.

For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

They can, and not even just a specific trading pair.

As for testing the contract, you're highly more likely to be safe if you're executing the contracts through command line, and with you fully knowing what a certain contract actually does. But if you're executing through a front-end UI like a website, then there's not much you can do as far as I know.

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

A project being audited by Certik or any other auditing company doesn't make a project hack-proof.

[pooya87]

As for testing the contract, you're highly more likely to be safe if you're executing the contracts through command line, and with you fully knowing what a certain contract actually does. But if you're executing through a front-end UI like a website, then there's not much you can do as far as I know.

It is worth mentioning that the protocol that is used to build the contract is important too. Some of them are very weak and have many security flaws that can potentially be exploited to steal money from unaware users. You have to be an expert to notice these things though.
DAO on Ethereum comes to mind when we talk about weak protocol and exploits.

[mk4]

It is worth mentioning that the protocol that is used to build the contract is important too. Some of them are very weak and have many security flaws that can potentially be exploited to steal money from unaware users. You have to be an expert to notice these things though.
DAO on Ethereum comes to mind when we talk about weak protocol and exploits.

This. @OP you better freakin what you're doing if you don't want to get burned. If you want to provide liquidity for the gainz, then you better know what you're using. If you think exchange hacks are bad, DeFi exploits are just as bad. (or probably even worse, because sometimes we don't know if the anonymous developers planted an exploit on purpose)

https://cryptosec.info/defi-hacks/

[btcrevolution]

Yes, they can. If you execute a contract without knowing that it was a scam site, then they can steal your funds.

They can do it even if I use hardware wallet like Ledger? For examle, I connect Ledger to MetaMask and then execute a scam contract via Ledger. Or I connect Ledger to a scam site directly and do the same thing. That's mean I give scammers access to all my funds in my wallet and they can steal money without any confirmation of transactions?

[GeorgeJohn]

Let me make it brief, scammer can penetrate to everywhere, first provided that  their own platform exist, i have never seen a wallet scammers can not steal money from it, provided it's a scamming platform, going into their site to do any partnership or transactions you can be easily  be scammed because i believe during the registration from the site they have access  and vital information to penetrate into your various wallet address that may be input.

[cryptoaddictchie]

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

No matter how good the auditor is for sure there are plenty of ways how to exploit a smart contract and mentioning certik doesn't seem reliable since they got some projects that are fully audited and yet got some errors and conflict when regards to security. What does it imply, means not all audited one can completely safe from vicious scammers that are genius on their crime activities.

[hatshepsut93]

I don't think that smart contracts are needed for drive-by attacks - when you visit a site and it steals your ETH and tokens from your wallet. Smart contract is basically and address, you need to make a transaction to interact with it, so if an attacker can make a transaction on your behalf, they could just send their coins to regular address instead of a smart contract.

Smart contracts are used in scams by hiding some sort of backdoor that would allow them to steal money of anyone who interact with it. Like how they promise some profits from something like yield farming or staking, but then just steal all the tokens that were sent to them, because no one realized that the devs added some hidden function for that. Or hackers could find a legitimate bug that could lead to this scenario, but I'm more inclined to believe that a lot of the "hacks" are just inside jobs, because it's easier to put a bug in the software than to find one in the wild, and crypto space is full of scammer "developers".

[pawanjain]

For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

I use MetaMask as a hot wallet. This app is very popular and many scammers steal money from MetaMask. Sometimes they steal it without seed phrase, trojans, viruses etc. But users say that they sign some contracts and lose their funds.

Many thanks to all your answers, my crypto friends !

Yes you can lose funds if you visit some site which connects to your wallet. I have seen such scams on Phantom wallet where a scam site asks to connect to your wallet.
If you connect your wallet then you lose all your balance from the wallet. People don't generally verify the site and simply connect the wallet thinking that the site is genuine.
On the backend though, a code is executed which triggers the smart contract to be executed which transfers the funds from the victim's wallet to the scammers address.

[Shamm]

For example, I accidentally open some scam site similar to Pancake and stake USDT/USDC there using a smart contract. Can scammers steal USDT, USDC and other tokens from my wallet? Can they use a contract which grants access to all my funds? If they can, how can I prevent stealing? Are there exist effective methods to test smart contracts?

On the other hand, what if scammers find exploit in some trusted smart contract which certified by Certik or organization like that? In that case can they steal only staked pairs or all money? How can I protect my wallet from scammers?

I use MetaMask as a hot wallet. This app is very popular and many scammers steal money from MetaMask. Sometimes they steal it without seed phrase, trojans, viruses etc. But users say that they sign some contracts and lose their funds.

Many thanks to all your answers, my crypto friends !

It is possible that they can steal your money from your wallet if when you open their sites and give all your information and especially your wallet then they have a chance to hack or transfer you money from your wallet to their wallets.
Before you open a non trusted/ non familiar sites you need to do some research in order to prevent loss your money or getting scam.

[vv181]

They can do it even if I use hardware wallet like Ledger? For examle, I connect Ledger to MetaMask and then execute a scam contract via Ledger. Or I connect Ledger to a scam site directly and do the same thing. That's mean I give scammers access to all my funds in my wallet and they can steal money without any confirmation of transactions?

Yes, they can. When you execute a malicious scam contract, beforehand you are approving(signing) the transaction within your hardware wallet. So if the transaction or the contract is malicious in the first place, there is no use in using a hardware wallet.

Another security risk is when you use a hardware wallet but you are using a fake Metamask wallet, it will also risk all of your funds.

[MCcryptonia]

Most crypto scammers use smart contract for their unforgiving act, the most popular one is creating a fake token of another project just to lure crypto newbies into buying the fake tokens through pancake swap or uniswap

Another one is creating fake token and sending the tokens to many ETH address as possible and when the ETH address owners sees the token they will want to sell their tokens and that's when they will lose all their assets all in the name of trying to sell the free fake token

[suzanne5223]

In addition to all the previous explanations.
Yes, scammers can steal from using the smart contract security vulnerabilities and that's why it is good to ensure that you're using the right site.
If you must invest in a newly created token make sure it is smart contract audited because scammers also use this idea to steal from investors and the purpose of a smart contract audit is to guarantee that a certain smart contract is free from threat and rug pull.

[mk4]

If you must invest in a newly created token make sure it is smart contract audited because scammers also use this idea to steal from investors and the purpose of a smart contract audit is to guarantee that a certain smart contract is free from threat and rug pull.

Having auditors is just having someone to check the code for bugs and exploits with a fresh new pair of eyes, but it doesn't guarantee anything. Because if having auditors could guarantee contracts to be totally secure, then we wouldn't have this much DeFi exploits[1] today.

Heck, even centralized exchanges has their own auditors. But yet..

[1] https://cryptosec.info/defi-hacks

[Mpamaegbu]

And if you're extra paranoid, always check the project's social media accounts so you're updated if there's a recent exploit or whatever.

I always do that, and I guess my paranoia is in order too. No matter how someone tries to direct me to a site (of course, trusted sites) I tell them to send me link to the site. I do this to avoid phishers. Any fund transferred to a phishing site is as good as gone. In financial matters precision and patience are key items. I rather wait for the right link than hastily google it myself.

A project being audited by Certik or any other auditing company doesn't make a project hack-proof.

But it surely goes a long way in helping the investor relax and have that sense of security that their money is safe. I easily get interested in projects audited by Certik, and so far I haven't been disappointed.

[nullama]

Think of a smart contract as basically an executable that you download from a website.

When you run the downloaded executable, Windows will ask for your permission to run it. If you agree to run it, the program now has access to your device, and can cause damage.

Similarly, the website with a smart contract will ask you in your wallet to get access to your coins. If you grant access to it, then that website can access your coins, and that means if there's a bug in the code, a hacker can get your coins.

Be careful, read every thing you accept in your wallet, and make sure you go to the correct websites.

[witcher_sense]

I easily get interested in projects audited by Certik, and so far I haven't been disappointed.

You might have been disappointed had you invested in Vee Finance, Spartan Protocol, Akropolis, or Saddle Finance. They all were audited by Certik and got hacked later. People lost more than 60 million dollars. For me, it is an instructive example of how it is almost pointless to rely on third-party audits when it comes to DeFi projects and smart contracts. If the hack can happen, it will happen.

https://rekt.news/leaderboard/

[The Cryptovator]

They can do it even if I use hardware wallet like Ledger? For examle, I connect Ledger to MetaMask and then execute a scam contract via Ledger. Or I connect Ledger to a scam site directly and do the same thing. That's mean I give scammers access to all my funds in my wallet and they can steal money without any confirmation of transactions?

It doesn't matter what wallet have you been using, just keep in mind that if you allow your wallet access from another site and allow to make transactions then you lost it forever if that goes into a scammer wallet. Those who are we not much technical person, we can't read codes how it works. We don't know even whether it has deployed in smart contract or not, to be honest. We to prevent that always we must need to choose a reputable site to stake, trade, or swap. Most likely who have technical knowledge about smart contracts and solidity would know how the site works.

[Rruchi man]

Scammers are very smart people who have devoted their creativity and time into devising new means and methods of swindling people and taking their hard earned cash. Have this at the back of your mind and be cautious always because we never know the new style or method they have devised. If someone tells you a definitive no right now that scammers can't steal your money using smart contracts, the answer may not still be true tomorrow as a new method may be devised by scammers tomorrow. i hope you understand where i'm coming from, always act with the consciousness that anything is possible with scammers.

[bitmover]

You may also lose money in smartcontracts if someone exploits the smart contract,  not necessarily a scammer

Take a look here. On Sunday (yesterday) the defi Grim lost 30million USD in a hack attack:

The decentralized finance (DeFi) protocol Grim Finance reported $30 million in losses due to a reentrancy exploit of the platform’s deposits.

Grim Finance officially announced on Saturday that an “external attacker” had exploited the DeFi platform, stealing “over $30 million” worth of cryptocurrencies.

According to Grim Finance, the hack was an “advanced attack,” with the attacker exploiting the protocol’s vault contract through five reentrancy loops, which allowed them to fake five additional deposits into a vault while the platform was processing the first deposit.


https://cointelegraph.com/news/defi-protocol-grim-finance-lost-30m-in-5x-reentrancy-hack

Smartcontracts are dangerous if not properly designed.. you may lose money in those projects.