From Programming Bugs to Multimillion-Dollar Scams: An Analysis of Trapdoor Tokens on Decentralized Exchanges

The rapid development of Blockchain technology and the prosperity of cryptocurrency in the past decade have driven the massive demand for digital assets trading, leading to the emergence of many cryptocurrency exchange platforms. Unlike centralised exchanges (CEXs) where listed tokens and cryptocurrencies are assessed by authorities to make the secured trading environment, decentralized exchanges (DEXs) are introduced to allow users to trade their digital assets without the involvement of any third party, therefore exposing security issues and encouraging the rise of many scams and malicious tokens. In this paper, we investigate an emerging malicious token named Trapdoor, which allows users to buy but prevent them from selling and getting their funds back. The first collection of Trapdoor tokens is constructed in this study by investigating malicious behaviours and maneuvers of these tokens. After manually analysing the tokens' source code, we classify those Trapdoor tokens into different categories according to their malicious code embedding technique. Moreover, we also comprehensively analyse the impact of Trapdoor tokens, the behaviours of scammers, and the characteristics of victims from various perspective. Finally, we also implement and publish our Trapdoor token detection tool and Trapdoor maneuvers analysis reports that help in increasing awareness of investors for this kind of scam.