Analyzing a Scammer's "Uniswap Front Run Bot" Malicious Code

Ramon RoyoRamon Royo
3 min read

Table of contents

TL;DR: I analyze a "front running bot" code, build to scam people into believing they'll get passive income, when in reality they'll lose their funds.

A generous chap

Yesterday I saw a tweet on my feed, someone was "denouncing" a user for taking advantage of a Uniswap weakness. They linked a Medium post.

I clicked. There the author explained how he had made $500K in 5 months, front running on Uniswap.

The term “front-running” refers to the process when someone uses technology or market advantage to get prior knowledge of upcoming transactions.

He linked a YouTube video, on which he explained how to deploy his contract and oh, he was giving it away for free.

Reading the Code

I got my copy. I was ready to binge on it. Trying to understand, from my current limited Solidity knowledge, what was going on.

Oh boy... here's what I found out.

The code is a convoluted piece, that tricks the eyes of the unknowing into thinking that it does what they say in the video. Making passive income.

Once you go deep knees into it, it gets clear it doesn't.

It just builds the scammers' address piece by piece, from one function call to another.

The final and only real move, is that the deployer's crypto will be stolen once they run the contract.

This is just a glimpse of what their Uniswap "bot" is doing. They have another "bot" in that YouTube channel, I guess it does something similar:

  • getMemPoolDepth and getMemPoolOffset ONLY return a constant int, the scammers' address is built bit by bit
  • parseMemoryPool, dev comments say parsing all uniswap mempool, in reality it just returns an address
  • checkLiquidity, convoluted code to just return a string
  • mempool, same, returns a string, dev comment says it loads all Uniswap mempool into memory, untrue!

Also and most importantly, these lines wipe the crypto from the victim's wallet:

(_callFrontRunActionMempool()).transfer(address(this).balance);

payable(withdrawalProfits()).transfer(address(this).balance);

These literally say transfer this account balance to the scammers' account.

These are in the start and withdrawal functions. Both lines end up returning the same function:

return parseMemoryPool(callMempool());

This function, after some tangled up code, returns the scammers' address.

Deploying the Contract on a Testnet

Out of curiosity I modified the code a little bit, deployed and verified it. You can check it here.

This is the current scammers' address:

0x3493b450BcfC8a30f4864dd32830a737E3F0131f

I guess they have changed it a few times, this particular scam has been running for at least 3 months now.

The Sad Conclusion

The rabbit hole goes deep on these scam schemes. There are many videos on YouTube promoting them and they seem legit, with lots of views, votes and comments.

Even though doing a search for "front running scams" on YouTube, reveals lots of videos that explain this kind of scams, far too many poor souls have fallen for it and continue doing so every day.

The one I've found has scammed more than 9 ETH in 24h at the time of this writing. I've seen wallets with more than $250K in stolen funds.

Acknowledgments

Patrick Collins, Web3 advocate and author of the world's best and free! Blockchain, Solidity, and Full Stack Web3 Development with JavaScript course.

Antonio Ufano for his ideas and guidance and telling me how important is to build in public.

Thanks for taking the time to read so far. Have a wonderful day!

0
Subscribe to my newsletter

Read articles from Ramon Royo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Soliditycrypto scamsbot

Written by

Ramon Royo
Ramon Royo