We investigate in this work a recently emerged type of scam ERC-20 token called Trapdoor, which has cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but preventing them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes, accompanied by a detailed analysis of representative scam contracts. In particular, we developed TrapdoorAnalyser, a fine-grained detection tool that generates and crosschecks the error-log of a buy-and-sell test and the list of embedded Trapdoor indicators from a contract-semantic check to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy, but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy even Trapdoor tokens with no available Solidity source codes.

翻译：本研究调查了一种近期出现的欺诈性ERC-20代币类型——陷阱代币（Trapdoor）。2020年至2023年间，该类型代币已在以太坊最大的去中心化交易所Uniswap上造成投资者数十亿美元损失。本质上，陷阱代币通过在智能合约中嵌入逻辑漏洞和/或所有者专属功能，允许用户购买但阻止其出售。通过人工检查多个陷阱代币样本，我们首次建立了陷阱代币的系统性分类体系，完整梳理了欺诈者用于嵌入和隐藏恶意代码的技术手段，并对典型欺诈合约进行了详细分析。特别地，我们开发了TrapdoorAnalyser——一种细粒度检测工具，通过生成并交叉验证买卖测试的错误日志与合约语义检查中的陷阱指标列表，实现对陷阱代币的可靠识别。TrapdoorAnalyser不仅在准确率上优于最先进的商业工具GoPlus，还能提供带有完整解释的恶意代码追踪路径，这是现有工具普遍缺失的功能。基于TrapdoorAnalyser，我们构建了首个包含约30,000个陷阱与非陷阱代币的UniswapV2数据集，借此训练出多种机器学习算法，即使对没有Solidity源代码的陷阱代币也能实现极高精度的检测。