Best Practices for DEX Security and Scam Avoidance

Detailed Instructions

Begin by verifying the official contract address directly from the project's primary sources. Never trust addresses from social media or unofficial channels.

• Sub-step 1: Navigate to the project's official website, verified Twitter account, or GitHub repository. Cross-reference the contract address listed there with the one you intend to trade.
• Sub-step 2: Use a block explorer like Etherscan or BscScan to look up the address. Confirm the contract is verified, meaning its source code is publicly viewable and matches the project's claims. An unverified contract is a major red flag.
• Sub-step 3: Check the token creator (deployer) address. For established projects, this should be a known, reputable address. A contract created by a brand new, anonymous wallet is suspicious.

Tip: Bookmark the official project links. For example, a legitimate project like Uniswap's UNI token contract on Ethereum is 0x1f9840a85d5aF5bf1D1762F925BDADdC4201F984. Always confirm this yourself.

Detailed Instructions

Scam tokens often have poor liquidity and concentrated ownership, making them susceptible to rug pulls.

• Sub-step 1: On the block explorer's token page, check the Liquidity and Holders tabs. Look for a healthy, locked liquidity pool (often in a DEX pair like UNI-V2). A liquidity pool under $50,000 is extremely risky for any meaningful trade.
• Sub-step 2: Analyze the holder distribution. Be wary if the top 10 holders own more than 60-70% of the supply, especially if one wallet holds a vast majority. This indicates centralization and dump risk.
• Sub-step 3: Verify if the liquidity is locked with a reputable service like Unicrypt or Team Finance. Search for the LP token's lock transaction. The absence of a lock, or a lock with a very short duration (e.g., 1 week), is a critical warning sign.

Tip: Use tools like DexScreener or Dextools for a visual chart of liquidity and holder history. A sudden, large drop in liquidity is a clear exit scam signal.

Detailed Instructions

Manually inspect the verified contract code for hidden functions that could steal funds or block sales.

• Sub-step 1: On the contract's Etherscan page, go to the Contract tab and click Read Contract. Check for any unusual owner or controller functions.
• Sub-step 2: Go to the Write Contract tab and connect a read-only wallet. Look for dangerous functions. The most critical to check for are:
  • setTax or similar functions that can change fees to 100% after you buy.
  • blacklist or excludeFromFee functions that could prevent you from selling.
  • mint or burn functions that aren't supposed to exist, allowing infinite supply inflation.
• Sub-step 3: Search the source code for keywords like _transfer, approve, and balanceOf to understand the standard logic. Use a tool like Token Sniffer or Honeypot.is for an automated preliminary scan, but do not rely on it solely.

Tip: For advanced users, compare the contract to known, audited standards like OpenZeppelin's ERC-20 implementation. Deviations should have a clear, legitimate purpose.

Detailed Instructions

Before signing the transaction, perform final checks and set conservative parameters to protect your capital.

• Sub-step 1: Always do a test transaction with a very small amount (e.g., $1-$5 worth) first. Confirm you can sell it back successfully before committing more capital. This tests for honeypots or sell-restricting code.
• Sub-step 2: Set a maximum slippage tolerance. Never use the default high values (e.g., 10-20%). Start with 1-3% for established tokens. For new tokens, if high slippage is required to trade, it often indicates a scam with a hidden tax. Use the following command in a DEX interface to set slippage:

codeCopy
Set slippage to: 2.5%

• Sub-step 3: Review the transaction details in your wallet (like MetaMask) before signing. Verify the token contract address in the approval request matches the official one. Check that you are not granting an unlimited approval (approve max). If possible, approve only the exact amount you wish to trade.

Tip: Consider using a hardware wallet for all transactions. It adds a physical confirmation layer, making it much harder to accidentally sign a malicious transaction generated by a compromised website.

Detailed Instructions

Your first priority is to immediately sever the connection between your wallet and the malicious contract or website. This prevents ongoing, unauthorized transactions. Do not panic-sell or approve new tokens, as this can trigger more exploits.

• Sub-step 1: Revoke Token Approvals: Go to a blockchain security tool like Revoke.cash or Etherscan's Token Approvals tool. Connect your wallet and review all active approvals. Revoke any permissions granted to suspicious or unknown contracts, especially those with high spending limits.
• Sub-step 2: Disconnect from DApps: Manually disconnect your wallet from all connected sites in your wallet's settings. For MetaMask, click the account icon, go to 'Connected sites', and disconnect all.
• Sub-step 3: Transfer Remaining Funds: If possible and safe, move your remaining, unaffected assets to a brand new, freshly created wallet. This isolates them from any lingering compromised state.

Tip: Time is critical. These actions should be performed in this order within minutes of detecting the exploit.

Detailed Instructions

Conduct a transaction history audit to pinpoint the exact moment and method of the exploit. This is essential for reporting and learning. Use blockchain explorers to trace the flow of funds from your address.

• Sub-step 1: Analyze the Malicious Transaction: On Etherscan, BscScan, or similar, find the transaction where funds were drained. Examine the 'Interacted With (To)' contract address. Copy this address for further research.
• Sub-step 2: Research the Attacker's Address & Contract: Paste the malicious contract address into platforms like De.Fi Shield, Token Sniffer, or RugDoc.io. Look for red flags: recent creation, unverified source code, or poor security scores. Check if the contract has been labeled as a honeypot or drainer.
• Sub-step 3: Identify the Entry Point: Determine how you interacted with the malicious contract. Was it through a fake website, a spoofed token airdrop, or a malicious trade on a DEX aggregator? Review your browser history and Discord/Telegram messages for phishing links.

Tip: Tools like MetaMask's built-in transaction insights or Harpie's notification service can help automate the detection of malicious interactions in the future.

Detailed Instructions

Report the scam contract and website to relevant security platforms and communities. This collective action helps blacklist the threat and protect others. Do not expect immediate fund recovery, but reporting is a civic duty in DeFi.

• Sub-step 1: Report to Blockchain Analysts: Submit a detailed report with transaction hashes and addresses to entities like Chainabuse, CryptoScamDB, or the relevant DEX's security team (e.g., Uniswap Labs, PancakeSwap).
• Sub-step 2: Alert Your Social Circles: Warn others in the project's official Discord, Telegram, or Twitter community if the scam was project-related. Share the malicious contract address (e.g., 0x742d35Cc6634C0532925a3b844Bc9e90F1b6f1d8) and website URL clearly.
• Sub-step 3: File with Authorities (For Large Losses): For significant losses, consider filing a report with your local law enforcement's cybercrime unit and with agencies like the FBI's IC3. While challenging, this creates a formal record.

Tip: When reporting, provide clear, factual data: your wallet address, the scammer's address, transaction IDs, and a concise description. Avoid emotional pleas; focus on evidence.

Detailed Instructions

Understand that on-chain transactions are irreversible, making recovery rare. However, you can explore a few avenues while fundamentally upgrading your security posture to prevent a repeat incident.

• Sub-step 1: Contact Centralized Exchanges (CEXs): If the stolen funds were sent to a deposit address on a CEX like Binance or Coinbase, immediately file a report with their security teams. They can sometimes freeze assets if identified quickly. Provide all transaction details.
• Sub-step 2: Implement Advanced Wallet Security: Migrate all future activities to a hardware wallet (Ledger, Trezor). Use a dedicated 'hot wallet' with minimal funds for daily DEX interactions. Enable transaction simulation features in wallets like Rabby or Fire before signing.
• Sub-step 3: Use Allow-Lists and Limit Approvals: For contracts you trust, set specific spending limits instead of infinite approvals. Use tools that require manual approval for every new contract interaction. Consider using wallet guards that block interactions with known malicious addresses.

javascriptCopy
// Example: Revoking an unlimited USDC approval using Ethers.js
const { ethers } = require("ethers");
const provider = new ethers.providers.JsonRpcProvider("YOUR_RPC_URL");
const wallet = new ethers.Wallet("YOUR_PRIVATE_KEY", provider);
const usdcContract = new ethers.Contract("0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48", ["function approve(address spender, uint256 amount) public returns (bool)"], wallet);
// Send transaction to set allowance to 0
const tx = await usdcContract.approve("MALICIOUS_CONTRACT_ADDRESS", 0);
await tx.wait();

Tip: Recovery is an uphill battle. Focus 95% of your effort on step 4—proactive security hardening—to ensure this is your last incident.