Spoof Tokens on Ethereum

Fake or “spoof” ERC-20 token transfers are nothing new on Ethereum. However, the widespread adoption of blockchain over the last year has led to a sharp rise in these cases. Now there are more and more issues and a recent high-profile case that requires a closer look.

In this article, we will cover:

• What is this "spoof"

• How to detect it

• How to avoid

Imagine hearing rumors of an upcoming token airdrop for a much-hyped DeFi product. Being consummate traders, we search for any clues about this.

We’ll notice a token that’s very similar in name and symbol to this DeFi product was newly minted. More importantly, we’ll see it was sent to an address that we privately labeled as belonging to a well-connected whale/influencer.

We wanted to know about this token before everyone else, so we bought a bunch of tokens from a newly created Uniswap V2 liquidity pool. An hour later, the LP drained all the ETH and we realized we had been ripped off.

What went wrong?

These real OpenSea tokens are not transferred from the OpenSea: Registry address

The mistake we made was to believe that the token transfer was actually made by the influencer address. This “spoof” deceives unsuspecting users by taking advantage of two things:

• ERC-20 Standard Design

• Block browser transparent data display

The ERC-20 standard transfer and transferFrom functions can be modified to allow any arbitrary address to be the sender of tokens, as long as it is specified in the smart contract, which will result in the transfer of tokens from an address different from the originating address.

Typically “spoofed” token contracts are not verified on Etherscan as this serves to obscure the inner workings of the contract.

For ERC-20 token transfers, block explorers such as Etherscan will display the address that transferred the tokens, not the sender address. Due to the nature of block explorers, data from block explorers is not censored by default.

In most cases, the extent of the damage is limited to holding zero-value tokens. But more dangerous situations are possible, such as tokens with recovery error messages pointing to phishing sites that steal users' private keys. ERC-721 and ERC-1155 tokens (NFTs) may also encounter the same problem.

How can one discover this?

The answer is fairly simple. For any of these token transfers, click on the exact transaction hash and check its details. The From address that initiated the transaction is obviously not the same as the From address where the tokens were transferred.

To dig deeper, look for a "spoofed" From address in the transaction input data or contract source code. It is usually included in either location. This step is more difficult if the contract is not verified, but it automatically makes the token look more suspicious.

Fake OpenSea tokens appear to be transferred by OpenSea: Registry in this transaction

A key caveat. Not all token transfers initiated by different addresses are fake or fraudulent. A common example is a dApp sending multiple token transfers in batches. These usually have a public name tag added by Etherscan.

Transactions to send tokens in batches

A close cousin of spoof is spam tokens. While these are not pretending to be sent from an influential person’s address, they are sent to that address together and make reading the address’s token labels a painful experience.

What can we do to avoid this?

For the average user, there is no need to do anything as this issue is unlikely to affect us.

Etherscan does not censor data by default, but is exploring ways to help mitigate this issue. The first step is to expand the functionality of the token ignore list. Features:

• Automatically hide token transfers in ERC-20, ERC-721, and ERC-1155 tags, and hide them in address balances and token holdings.

• Includes a simple option for users to choose to ignore all coins marked as suspicious or bad by Etherscan.

We hope that this expanded functionality will help protect users from scams while enjoying a cleaner user experience on the site.

Source: https://medium.com/etherscan-blog/spoof-tokens-on-ethereum-c2ad882d9cf6