This article was adapted from a blog post available here.
This is a type of scam that uses the promise of “mining” rewards to lure you into depositing tokens on the platform. At first, your balance on the platform appears to grow through these rewards. This is just a ruse: the balance these dapps display is false, and the scammers have been draining your wallet whilst deceiving you into believing that your balance was actually growing.
How do fake 'mining' scams work?
The key step in executing this scam is for the malicious actor to obtain a token approval from you. This means you'll be signing a transaction that gives their smart contract (a program running on their dapp) permission to move your funds. Only then can they start to steal your funds as they intend.
Approvals are per token — so if you approve a request relating to USDT, the dapp will have permission to move that token according to its programming.
Understanding token approvals is important for staying safe in web3. Read our explainer here for more information. It's also important to note that connecting to a dapp is different to signing a token approval it suggests to you.
Luring you in
Before a scammer can get you to sign a token approval on their dapp, they need to lure you to that site in the first place.
The method for sharing the link to the dapp itself (a website) can vary significantly. Maybe it's in a Telegram group; maybe on Twitter; maybe via Instagram. It could also be in your direct messages on any platform. Whichever method they choose is not the key detail here: instead, we need to focus on what it is they're offering.
To attract you to their site, scammers promise some combination of:
- Guaranteed returns on an investment
- Free money
- Extremely high APYs (yields) in return for deposits.
This is where — they hope — your eyes will light up. Shut up and take my money! etc.
Getting your signature
No, they don't want your autograph. What they do want is the signature generated by your private key, on an approval transaction.
This is where the 'voucher' comes into play. The idea is that you hand over XYZ amount of tokens to 'buy' a voucher that gains you access to the platform, and, from there, access to the ludicrous gains that they've promised you. The catch is that the transaction the dapp suggests — which they hope you will just interpret as the voucher purchase — is actually an unlimited token approval. This gives the dapp the ability to drain your wallet of as many tokens of that type as it wants, until there are none left.
'Unlimited token approval'? What?!
This is, unfortunately, a common way for bad actors to gain access to your funds and drain them from your wallet. See the relevant section here for more information.
Draining your wallet
Once they have the unlimited token approval, the scammers have — on paper (figuratively speaking) — your permission to take as many of your tokens of that type that they want.
Often, though, they don't tend to do this straight away. The entire premise of the scam relies on the user being unaware of it taking place. To achieve this, the scammers will often slowly take funds from your wallet — using the approval you granted — whilst continuing to inflate the value of your deposit/holdings on their dapp, making you feel like you're actually gaining.
By the time you notice, it's too late.
How to stay safe
There's a few key behaviours you can adopt to prevent you falling victim to a scam like this:
- Always check what a dapp is actually requesting before clicking ‘approve’. In MetaMask, you can also adjust the amount that the dapp has access to. Even if you only provide access to 10% of your tokens, and the dapp turns out to be a scam, that’s still a considerably better outcome than if you’d granted unlimited access.
- DYOR. The best time to get in the habit of performing due diligence on any dapp before interacting with it was six months ago; the second best time is today. Look out for misspellings, low-quality images/logos, and other giveaways.
- Remember that if something seems too good to be true, it probably is. If you’re being offered 498,563% APY, you’re probably on thin ice.
- Get used to checking out any smart contract/dapp before you interact with it, potentially using our guide as a starting point.
Additionally, you might consider holding smaller sums in your software wallet (one that’s connected to the internet, such as MetaMask) whilst keeping the bulk of your tokens in a hardware wallet. For example, some recommend the rule of thumb that you should only keep a value in your software wallet that you’d be happy to carry around in your physical wallet.
- These scams work by luring you in with the promise of high rewards and tricking you into signing an unlimited token approval
- Clue up on token approvals and be wary of any app that asks for unlimited access
- If a money-making proposition seems to be good to be true, it probably is.
Remember: if you think you've identified a fraudulent address, you can report it on Etherscan.
If you have any questions about this subject, feel free to head to the MetaMask Community or get in touch with Support via the 'Start a Conversation' button on the homepage of this site.