Threats and Labels

Trugard has defined 6 top level categories that smart contract features fit into. The categories described below cover a broad range of "facets" that may exist within a smart contract. Facets range from interesting smart contract features that users should be aware of, to warnings regarding risk and safety for a given contract. As Trugard continually identifies new categories, and uncovers new threat patterns within the Web3 space, this list may be updated without notice.

Rugpulls are generally classified as projects that are abandoned by project founders resulting in little to no recourse for the community to recover lost funds or where the value of funds have plummeted to zero. There too is a growing trend that smart contracts are being written by bad actors to support the likelihood of a future Rugpull. Below are two examples of popular mechanisms that are often hidden within a smart contract that an unsuspecting user may not be aware of.

‍Drain - Interacting with this type of contract may result in assets being stolen from hot wallets. Drainage is an outcome of a contract reentrancy problem that is increasingly being found in rugpull contracts

‍Honeypot - These contracts pretend to leak digital assets to a victim provided the victim sends funds to the contract. Once sufficient funds have been sent by a victim, the contract deployer will often execute a rugpull leaving the victim with no recourse on recovering funds.

Asset Value Attacks are a danger to existing asset holders that have interacted with a corresponding smart contract. Assets for existing holders may see a sudden price change resulting from various manipulation technics that are at times enabled through code present within a smart contract. Even though some of these contracts may have their source code published and verified, it is often the case that these smart contracts are effectively rubber stamped, and at various stages of an assets cycle, users often do take the time to take a closer look at the contract they about to interact with. Below are two examples of mechanisms used to invoke an Asset Value Attack.

Supply manipulation - Contact deployers have the ability to mint virtually an unlimited supply of assets, as present with a hidden mint fuction, or a contract does not support multi-sig allowing for virtually no enforcement of percieved asset/contract governance.

‍Price manipulation - Flash loan attacks are one such example of price manipulation. Contracts that have this feature a acquire debt, use that debt to manipulate the price of another asset, make trades on positions made on the target asset, and then repay the debt all within a single block.

More advanced smart contracts may have the need to acquire information or data for a transaction that is not readily available within a given network. If a data set that is not managed and operated in a decentralized fashion is used, there is potential risk that a user may face. When a contract is fed off-chain on-line data that cannot be independently verified, such as pricing feeds or other “oracled” information, users may be tricked to sell or buy under artificial conditions. Using Trugards API, users are now afforded the ability practice more informed diligence when with these types of contracts are being interacted with

Modern, more sophisticated smart contracts have the ability to be upgraded over time, or upgraded to include new features and functionality. The resulting changes may improve smart contract behavior, but in some cases, behavior may deteriorate. Using the Trugad API, users are made aware of this capability, and along with our advanced feature detection, but made aware if changes introduce alter behavior one way or the other.

Many smart contracts contain administrative functionality as defined by several ERC specifications that allows contract deployers or project owners to implement defensive functionality. For example, being able to pause/unpause or lock a smart contract is a mechanism used to protect asset holders or the project community at large, and is routinely used in ERC20 and ERC721 contracts. However, these defense mechanisms can also be used to allow certain users to bypass security provisions if not implemented correctly or by design. Trugards API can be used to bring awareness of these features and alert users so they can make more informed decisions.