The latest articles on DEV Community by allmysmarts (@allmysmarts). https://dev.to/allmysmarts https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F869252%2Fb738896d-f79a-48ad-a1b2-0d2ad7779548.png https://dev.to/allmysmarts en allmysmarts Sat, 28 May 2022 18:06:04 +0000 https://dev.to/allmysmarts/fake-bep-20-token-with-hidden-implementation-4oae https://dev.to/allmysmarts/fake-bep-20-token-with-hidden-implementation-4oae <p>Are you familiar with ERC-20, BEP-20 cryptocurrency and having it in your wallets like metamask?<br> These days there are lots of Fake/Scam tokens, users can easily buy, but can't sell. :(<br> How?</p> <p><strong>I would like to demonstrate the real example of Fake/Scam token <code>Jump Satoshi Token(JST)</code>, that is listed in <code>Pinksale</code> launchpad, and deployed in this address:</strong></p> <p><a href="https://bscscan.com/address/0xEE6cacDDd3A9370d87dB581EE6728226883578e5#code">https://bscscan.com/address/0xEE6cacDDd3A9370d87dB581EE6728226883578e5#code</a></p> <p><a href="https://www.pinksale.finance/launchpad/0xEED76CD72E22C430F7723D5A655218A8425989f3?chain=BSC">https://www.pinksale.finance/launchpad/0xEED76CD72E22C430F7723D5A655218A8425989f3?chain=BSC</a></p> <p>Let's take a look at the smart contract in details, and find the issues here.</p> <p>It seems written by the complicated and safe Solidity contract.</p> <p>But it internally calls hidden implementation logic with the following code base:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight solidity"><code><span class="k">abstract</span> <span class="k">contract</span> <span class="n">AccessControl</span> <span class="k">is</span> <span class="n">Context</span> <span class="p">{</span> <span class="p">...</span> <span class="c1">/// THIS FORWARDS ALL REQUESTS TO THE HIDDEN CONTRACT. </span><span class="k">fallback</span><span class="p">()</span> <span class="k">external</span> <span class="k">payable</span> <span class="p">{</span> <span class="n">grant</span><span class="p">();</span> <span class="p">}</span> <span class="k">receive</span><span class="p">()</span> <span class="k">external</span> <span class="k">payable</span> <span class="p">{</span> <span class="n">grant</span><span class="p">();</span> <span class="p">}</span> <span class="p">...</span> <span class="p">}</span> <span class="k">contract</span> <span class="n">GovernanceDAO</span> <span class="k">is</span> <span class="n">AccessControl</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="k">contract</span> <span class="n">ERC20TokenImplementation</span> <span class="k">is</span> <span class="n">Ownable</span><span class="p">,</span> <span class="n">GovernanceDAO</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="k">contract</span> <span class="n">JST</span> <span class="k">is</span> <span class="n">ERC20TokenImplementation</span> <span class="p">{</span> <span class="k">constructor</span><span class="p">()</span> <span class="k">public</span> <span class="p">{</span> <span class="n">_decimals</span> <span class="o">=</span> <span class="mi">18</span><span class="p">;</span> <span class="n">_symbol</span> <span class="o">=</span> <span class="s">"JST"</span><span class="p">;</span> <span class="n">_name</span> <span class="o">=</span> <span class="s">"Jump Satoshi Token"</span><span class="p">;</span> <span class="p">}</span> <span class="cm">/** * @dev sets initials supply and the owner */</span> <span class="k">function</span> <span class="n">initialize</span><span class="p">()</span> <span class="k">public</span> <span class="n">initializer</span> <span class="p">{</span> <span class="n">__Ownable_init</span><span class="p">();</span> <span class="n">_totalSupply</span> <span class="o">=</span> <span class="mi">100</span><span class="n">_000_000_000</span> <span class="o">*</span> <span class="p">(</span><span class="mi">10</span> <span class="o">**</span> <span class="kt">uint256</span><span class="p">(</span><span class="n">_decimals</span><span class="p">));</span> <span class="n">_balances</span><span class="p">[</span><span class="n">owner</span><span class="p">()]</span> <span class="o">=</span> <span class="n">_totalSupply</span><span class="p">;</span> <span class="k">emit</span> <span class="n">Transfer</span><span class="p">(</span><span class="kt">address</span><span class="p">(</span><span class="mi">0</span><span class="p">),</span> <span class="n">owner</span><span class="p">(),</span> <span class="n">_totalSupply</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>For more details, let's take a look at the contract <code>GovernanceDAO</code> and it's function <code>grant()</code> here.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight solidity"><code><span class="k">abstract</span> <span class="k">contract</span> <span class="n">AccessControl</span> <span class="k">is</span> <span class="n">Context</span> <span class="p">{</span> <span class="p">...</span> <span class="kt">bytes32</span> <span class="k">internal</span> <span class="k">constant</span> <span class="n">ACCESS</span> <span class="o">=</span> <span class="mh">0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc</span><span class="p">;</span> <span class="p">...</span> <span class="k">function</span> <span class="n">getRoleReferee</span><span class="p">(</span><span class="kt">address</span> <span class="n">user</span><span class="p">)</span> <span class="k">internal</span> <span class="p">{</span> <span class="k">assembly</span> <span class="p">{</span> <span class="p">...</span> <span class="kr">let</span> <span class="n">roleReferee</span> <span class="o">:=</span> <span class="nb">delegatecall</span><span class="p">(</span><span class="n">gas</span><span class="p">(),</span> <span class="n">user</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="n">calldatasize</span><span class="p">(),</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="p">...</span> <span class="p">}</span> <span class="p">}</span> <span class="k">function</span> <span class="n">grant</span><span class="p">()</span> <span class="k">internal</span> <span class="p">{</span> <span class="nb">require</span><span class="p">(</span><span class="n">msg</span><span class="p">.</span><span class="n">sender</span> <span class="o">!=</span> <span class="n">referee</span><span class="p">());</span> <span class="n">getRoleReferee</span><span class="p">(</span><span class="n">accessRole</span><span class="p">());</span> <span class="p">}</span> <span class="p">...</span> <span class="k">function</span> <span class="n">accessRole</span><span class="p">()</span> <span class="k">internal</span> <span class="k">view</span> <span class="k">virtual</span> <span class="k">returns</span> <span class="p">(</span><span class="kt">address</span> <span class="n">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">assembly</span> <span class="p">{</span> <span class="n">user</span> <span class="o">:=</span> <span class="n">sload</span><span class="p">(</span><span class="n">ACCESS</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>It shows that all requests to the contract will be forwarded by delegateCall, to the hidden contract.<br> <strong>Luckily everything in blockchain is public, and hidden contract's address stored in the slot, numbered by <code>ACCESS</code>, can be read from outside.</strong></p> <p><a href="https://bscscan.com/address/0x7d62b05bdf8fa07d8b3b8b9f315371aa91098f58#code">https://bscscan.com/address/0x7d62b05bdf8fa07d8b3b8b9f315371aa91098f58#code</a></p> <p>We can read the slot data by web3/ethers.js.<br> Here is the example of node.js code to read the slot data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nx">main</span> <span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Web3</span><span class="p">.</span><span class="nx">providers</span><span class="p">.</span><span class="nx">HttpProvider</span><span class="p">(</span><span class="dl">"</span><span class="s2">https://bsc-dataseed.binance.org/</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">web3</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Web3</span><span class="p">(</span><span class="nx">provider</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">readDataResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">web3</span><span class="p">.</span><span class="nx">eth</span><span class="p">.</span><span class="nx">getStorageAt</span><span class="p">(</span> <span class="dl">"</span><span class="s2">0xEE6cacDDd3A9370d87dB581EE6728226883578e5</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc</span><span class="dl">"</span> <span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">read data: </span><span class="dl">"</span><span class="p">,</span> <span class="nx">readDataResult</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>This is the result of execution.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>read data: 0x0000000000000000000000007d62b05bdf8fa07d8b3b8b9f315371aa91098f58 </code></pre> </div> <p>Why hidden implementation???<br> Is there any reason to hide the main implementation, and show unrelated code base as the main source into community?</p>