How Smart Contract Audits Are Used to Scam You
Web3 can be a minefield for users and actors alike. When they don’t fall for fraudulent projects, they become victims of hackers.
The situation is getting worse every year, with 2022 seeing a total of $84,8 million lost to hacks and fraudulent projects.
All in all, web3 is a space in dire need of security, safety, and a measure of control.
Users and builders alike need assurance that it’s safe enough to invest in.
Nobody wants to enter, interact with, or stay in a space where they’re only a few clicks away from losing everything to scammers or a Casa de Papel-style crypto heist that leaves devastation in its wake.
So, what has been used by web3 actors to build this high-in-demand trust ?
Smart Contract Audits.
Since 2020, code auditing performed by third parties has become the default expectation for reputable DeFi platforms.
They serve a dual function:
1 — They “secure” the DeFi protocol
2 — They are a stamp of security and legitimacy approval for potential users
Today’s discussion will not be about the security (or lack thereof) paradigm in Web3 and how the existence of smart contract audits has become the go-to excuse for some Web3 builders to ignore bad code, have a zero security budget, and exempt themselves from the necessary ongoing commitment to the security and safety of their users.
Nope, that’s a discussion for another day.
Today, we will explore how the ingrained idea that audit means security has been artfully used by fraudsters to trick people into putting their trust and hard-earned money into their bogus projects.
When Audits Equate Trust
Web3 users overall suffer from a serious affliction: thinking that a project is secure just because it has been audited. And they certainly cannot be blamed for this.
Web3 builders have been using audits as a marketing strategy tool for the past few years. For crypto projects, being perceived as safe means gaining the trust of potential users, which translates to “Money! Money! Money!”
As soon as they launch or announce their projects, they will claim that it is safe and will be audited by top audit powerhouses to prove it.
In web3, safety equals audits. Period.
In this Wild Wild West, audits and audit companies like Certik, Peackshield, Hacken, Slowmist, etc., are perceived as the only barriers that seem to exist between safety and unfathomable risks for web3 users. On paper, audits protect a project from hackers, and protect users from fraudulent projects with built-in backdoors or other shenanigans.
Audits offer the delusion that they are somehow protected, somehow safe. Otherwise, how could they choose to actively participate in a project that could turn them into easy prey?
This almost blind trust of web3 users in audits could not be better illustrated than in one of the leading audit firms, Peackshield’s disclaimer. At the very last line, it reads:
“Last but not least, this security audit should not be used as an investment advice.”
Scammers caught on to that pretty quickly.
This vulnerability of them.
The art of scam is eliciting trust where none should be felt. And since trust is (partially) built on audits on web3, audits would, of course, be used as a tool of choice to lure people into lowering their cautiousness.
The most classic MO used by your average joe scammer is creating fake authentication by audit firms and slamming a Certik or Peckshield logo on their website, forcing these same firms to issue statements that this or this project was not audited by them every week, sometimes multiple times a week. These fraudulent projects are easy enough to debunk, suffice to go to the concerned audit firm’s website and type the name of the project that pretends to be audited by them and check if it’s the case.
Although unfortunately, it seems easy enough to debunk them, people still fall for these scammers, since most of them do not think that they would be able to understand an audit, so they do not check if they really exist or if they are legitimate or not.
But this, again, is not the subject of this article.
Although fake audits are an issue on their own, the true looming and worrying issue is the use of real audits to sell fraudulent projects.
Real Audits, Fraudulent Projects
What could be more powerful for a web3 hoax than an honest-to-God audit?
Nothing.
So, of course, some very patient scammers who don’t mind building and running their sham for months if not years, choose to use genuine smart contract audits to build trust in their deceitful project.
How so?
1 — Selecting what is going to be audited
Fraudsters profit from the idea that most web3 users assume that when a project says they have been “audited”, it means everything that needs to be audited has been audited, especially the most vulnerable to attack or backdoor exploit code.
When it’s absolutely not the case.
As Certik underlines in its disclaimer:
“CertiK conducts security assessments on the provided source code exclusively.”
They follow up with an unhelpful:
“Conduct your own due diligence before deciding to use any info listed on this page.”
Well, if every person could do their own due diligence on a smart contract or project, why would there be a need for audit firms?
Sigh.
This aside, audit firm Slowmist is even more extensive in explaining how their range of action and analysis is conditioned by what their clients provide:
“The security audit analysis and other contents of this report are based on the documents and materials provided to SlowMist by the information provider until the date of the insurance report (referred to as “provided information”). SlowMist assumes: The information provided is not missing, tampered with, deleted or concealed.
If the information provided is missing, tampered with, deleted, concealed, or inconsistent with the actual situation, the SlowMist shall not be liable for any loss or adverse effect resulting therefrom. SlowMist only conducts the agreed security audit on the security situation of the project and issues this report. SlowMist is not responsible for the background and other conditions of the project.”
Not only does an audit not provide a full assessment of a project, but the assessment is made on information provided by the clients.
Suffice to say, the owner of a fraudulent project only needs to audit an “harmless” smart contract and be able to claim on every platform that its project has been “audited”.
Maybe the worst part about it is that this myth of a project being foolproof when a single audit exists is perpetuated by standard actors.
On October 2, 2022, Transit Swap, a cross-chain DEX aggregator, was hacked for over $23 million.
At that time, when you visited their website, you could see that Transit Swap proudly underlined at the very place you would engage in a transaction on the platform that “Transit Swap aggregator contract is audited by Peckshield.”
Here again, audits are used to claim loudly and proudly that the platform is safe as a whole, everything is safe, your funds are safe.
The message could not be more clear:
“You can interact with the platform safely because we have ensured that everything is secure through our audit.”
After the hack, when fingers were pointing at Peckshield for maybe not doing their job properly, they had to come forward to explain that “the exact contract being hacked is not part of the audit.” Uh oh.
This is the perfect scenario to illustrate how it can be so easy for fraudsters to use smart contract audits to deceive people into blindly trusting them.
If even allegedly legitimate actors use audits to build trust by creating a sense of safety by only auditing part of their protocol while avoiding auditing smart contracts that could, once exploited, result in the siphoning of at least $23 million of their users’ funds, what is stopping bad actors from doing the same?
And how, if fraudsters and legitimate actors share the same self-serving mispractice built on the ignorance of what audits entail, will web3 users know who to trust and who to mistrust?
2 — Audits are not automatically corrective
Ignorance here again is key.
In general, when a web3 user will read that a smart contract has been audited, he will think that maybe issues have been spotted and then corrected by the auditing firm.
Profiting of the idea that most web3 users think that auditors systematically fix the issues encountered during an audit! When often it’s the project team’s job to implement security patches, if in the contract between the auditor and the audited there is not a close for rewriting the code to fix the security issues spotted.
3 — Counting on the fact that they are the clients of audit firms. An asymmetric dynamic that they can use to cover up mischief.
Life is tough for web3 audit firms.
That’s why they love their disclaimers, and do what in other industry actors could never fathom, sending their clients to rival firms.
As PeckShield put it:
“As one audit cannot be considered comprehensive, we always recommend proceeding with several independent audits and a public bug bounty program to ensure the security of smart contract(s).”
These audit firms are in a very peculiar position; the ones who pay the bill are the ones they are supposed to grill and discover if they are legit or not, fraudsters or not, have a backdoor that could allow them a crypto heist or not.
And depending on the terms of the contract or the position of the auditing firms, things that should not be overlooked are, and stamps of approval are given when they should not.
Audit firms can be subjected to extreme pressure by their clients to give them the pass when they should not. And for newer, more vulnerable, fragile audit firms, it could be too much to resist.
A striking example of this is when Certik, which is the undisputed web3 audit leading firm, had to face a defamatory and hate-filled campaign led by Safuu Protocol.
As previously explained, DeFi protocols love to announce their upcoming auditing process, sometimes the very day they have been born, which was the case for Safuu Protocol. They promised an audit from the highly trusted Certik, after they had already been audited by a firm called Solidity Finance!
As promised, Safuu, who promised 382,945% APY — not suspicious at all — got audited by Certik. Putting the money on the table, they probably thought they bought out Certik.
Well, they were in for a rude wake-up call!
On March 22, 2022, Certik announced that:
“CertiK’s highly skilled KYC & Fraud Investigation team have delisted the #SAFUU Protocol project due to high-risk indicators, concerning the SAFUU owner/team affiliation with previous high-risk projects. We advise against interacting with this project.”
From then on, Certik was threatened with a “full class action legal suit for Slander, Market Manipulation, Defamation of Character and Investment Fraud” as well as having to pay $2.4 million in the amount of damages caused through “gross negligence and illegal activity.”
Safuu aficionados harassed Certik on social media as well as tried to ruin their reputation by leaving awful and defamatory comments on TrustPilot, accusing them of “FUD,” market manipulation, and unprofessionalism.”
May 9th, famous sleuth Coffeezilla exposed the whole affair in a video titled: “Scammer Begged Me Not To Investigate…”, that unveiled the full length of the inglorious and scammy past of Safuu CEO and how Safuu Protocol was built to end up in an exit scam.
Unsurprisingly, on November 21, 2022, Safuu rug pulled for $6 million.
Could certainly have been much more, if Certik did raise first the alarm.
When this happened Certik was already well-established, the market leader, and losing a contract or facing this kind of backlash was something they could endure, allowing them to bravely denounce the sham Safuu protocol was.
It is hard to envision less well-known and solid audit actors denouncing their own clients when they are in a phase where they fight it out to attract them, and could be a contract away from closing down. Let’s not even talk about facing lawsuits.
All in all, fraudsters have no less than three ways of making audits a powerful manipulation tool to entrap unsuspecting people.
Here are two examples of how it can play out for them.
The case of DeFi AI and Hope Finance
DEFI AI I
One of the most telling cases would be the one of DeFiAI.
As usual, the story starts with the protocol launching and announcing they’re going to get audited in December 2021.
Which they proceed to do with no less than 3 respected audit firms: Certik, Peckshield and Hacken.
On August 2022, Hacken announced a long-term cooperation with DeFi AI, that they received a 8.75/10 and was a “well-secured project”. DeFi AI pins this new cooperation on their twitter account.
October 19, 2022, DeFi AI posts the integrality of their audits on their discord channel.
November 12, 2022, DeFi AI posts that “Our contract and front-end are under maintenance, please be patient.”
November 13, 2022, DeFi AI claims that they have been hacked.
But no hack happened.
They followed the basic MO to hide an exit scam behind a faked hack.
$4.17 million were stolen from their users.
DeFi AI actively used its audits as the powerful advertising panel they were and attracted millions into their fraudulent projects that was able to pose as a legitimate DeFi protocol.
Two things to additionally note:
1- Remember when Hacken gave a 8.75/10 to DeFi AI and deemed their new partner a “well-secured project”? Well, first, one discovers on their website that their security score is 7.5?
And then reading through their audit, we found our way back to this stellar 8.75, but after putting 5+2.5+10+10 together, we ended up with a 6.875/10?
Outside this bizarre miscalculation, if one would have opened this audit report and read it, they could have seen two potential red flags that could have indicated that this could turn into a fraudulent project.
🚩First, the very low quality of the initial code.
Peckshield gave them a 2.5/10. Although the security score is 10/10 for one low severity issue, Hacken reports no less than 22 initial security issues. 22. Among which one critical and one high security issue, and 20 low security issues.
Which is not to say that every DeFi protocol with initial bad code is a sleeping exit scam.
But still, it denotes a lack of utter care in building a protocol that is supposed to safeguard people’s money, unless of course, one is not interested in safeguarding anything and running away with the money.
🚩 Secondly, they were given a score of 5/10 for documentation quality, Hacken underlines:
“The customer provided superficial technical and functional requirements”.
Here again, not being forthcoming with the necessary documentation for an audit to take place properly is at the very least worrisome and be cause for caution.
2- Certik’s audit has disappeared.
If not for the link on DeFi AI’s discord, track of an audit by Certik could have disappeared altogether.
We had to use the Wayback Machine to find its traces, and here it is:
First this shows that DeFi AI claims that they were audited by Certik were true. Secondly, this illustrates a bad habit some auditing firms have taken when faced with a project they audited and that turned out to be a fraud: erase all traces.
This (mis)practice can also be found in our second example: Hope Finance.
HOPE FINANCE I
Hope Finance is a bizarre story to say the least.
On February 20th 2023, member(s) of Hope Finance announced that a member of their team they “doxxed” had wiped out their protocol of $2 million on the day of the launch.
Based on the fact that all three accounts on the team’s multisig were needed to approve the transaction that would rug the project, some allege that the whole team is involved. Especially since the “real identity” of the thief they disclosed seemed to be absolutely counterfeit.
It’s just screaming bad photoshop…
Add to that the other members who did not disclose their own identity disappeared into thin air after tweeting for the last time how to withdraw funds from an already empty protocol they appropriately call a “fxxking scam protocol”, this looks like a basic exit scam disguised into a convoluted one-sided rug pull.
Be it the work of one team member or the whole team, or maybe the whole team is one team member?, the way out necessary for an exit scam was written black on white (or vice versa) in the code and no less than two audit firms went through it.
9 days and 7 days before the rug, Hope Finance announced that they have successfully passed two audits.
From firm Cognitos, where the smart contract inexplicably passed the audit while they spotted two major uncorrectec smart contract functions vulnerabilities: an incorrect modifier and possible re-entrancy.
As well as from audit firm AudiRateTech, that proceeded to erase all traces of it, except for their KYC certificate…
Here again, the project used the audits as the main way to build trust and attract funds and investment to their bogus protocol, and again millions were lost.
And, what we are left with are questions.
How do two distinct audit firms not see the backdoor? Why does a smart contract with high vulnerabilities get a pass? Why erase your own audit?
I’m sure most of you readers will come up with your own theories on the hows and whys.
What is certain though is that scammers will not even stop at auditing the very contract they will use to screw people over because they know they can get away with it.
Conclusion
On March 27th, Kokomo Finance rug pulled for $4M, despite having been audited by 0xGuard. However, the audit only covered the token contract, not the protocol as a whole.
This incident highlights, yet again, the urgent need for the web3 audit sector to implement transformative measures to ensure the safety of people’s funds and their own reputability.
While none of the audit firms can achieve this alone, they could collaborate to put an end to this chaos. By working together to build and implement new standards, they would have the power to raise the bar and provide a powerful counterbalance to crypto firms that disregard the people who trust them, whether they are fraudulent or legitimate.
Communication is key to achieving this goal.
Audit firms must provide tools for the average user to understand what their audits mean and what they don’t. This will enable people to make informed decisions to the best of their ability.
Audit firms can do more to protect people than poorly suited disclaimer.
They have the power to do more.
Only time will tell if the audit firm ecosystem will rise to this challenge, or not.
About us
Nefture is a WEB3 Cybersecurity Company that keeps your wallet safe with our Metamask Extension. Register for the beta here!
We also allow brands to tap into web3 through 360° support on their blockchain project:
We specialize in blockchain technologies to make your project come to life and cybersecurity to completely secure your web3 journey: from building Smart Contracts, Audits, Minting websites, Dapps, Discord Audits and Securing,… to Security Breaches Investigation and Management!
Start your web3 journey with us: https://agency.nefture.com/
