This year, Memecoin has been the focus of the crypto market and blockchain ecosystems. Since the beginning of 2024, many memecoins and memecoin launchpads such as Pump.Fun have emerged in the Solana ecosystem with astonishing growth, attracting a large number of users to participate in the issuance and trading of various memecoins. Memecoin trading in other blockchain ecos are also extremely hot, such as SunPump in the TRON ecosystem , which made a net profit of one million US dollars in just two weeks and BNB Chain launched the “Meme Innovation War Round 3”.

The problem with the memecoin craze is that users need to avoid various potential security risks. Previously, Beosin has conducted a detailed analysis of the security of memecoin launchpads, warned of the centralization risks of launch platforms such as Dexx in advance, and audited multiple Memecoin launch platforms such as Tokr.fun, Pumpup, and Pump404.

Today, we will analyze the common risks and malicious methods in memecoin from a security perspective, helping general users to master some skills to identify memecoin-related risks and avoid financial losses.

Centralization Risk

Recently, the Dexx incident reminded users to pay attention to the centralization risk of centralized platforms. In this section, we will analyze the current largest memecoin launchpad - Pump.Fun:

Through on-chain transactions, we can find that the core contract address of Pump.Fun is 6EF8rrecthR5Dkzon8Nwu78hRvfCKubJ14M5uBEwF6P. The contract code is not open source and is controlled by a multi-signature address (7gZufwwAo17y5kg8FMyJy2phgpvv9RSdzWtdXiWHjFr8).

However, if you check this multi-signature address, it is actually controlled by a single address (4zJkeipCFGvfcJvKm4TY57ED9uEdL3sBRvs8TPdZKG5Q) , which poses a single point risk.

On May 17, one of the private keys of Pump.Fun was leaked due to operational problems, resulting in a loss of $1.9 million. The management of private keys and the application of multi-signatures are particularly important in preventing single point failures.

When Pump.Fun issues memecoins, users need to mint tokens through $SOL in the “inner pool”. The token price in this process is determined by the Bonding Curve. For each memecoin, Pump.Fun will create a corresponding Bonding Curve program, in which the data fields are as follows:

The tokenTotalSupply is set to 1 billion , and virtualSolReserves, virtualTokenReserves , realTokenReserves, and realSolReserves are used as AMM parameters to calculate the token price. When other users mint 800 million tokens in the “inner pool”, the “complete” field becomes true, and then the memecoin is publicly traded in the liquidity pool created on Raydium.

Checking the data of any memecoin contract issued by Pump.Fun , we can see that the privileged address of its update authority is Pump.fun Token Mint Authority (TSLvdd1pWpHVjahSpsvCXUbgwsL3JAcvokwaKt1eokM), which is responsible for minting tokens. The “mint” field is the corresponding memecoin contract address and token info.

These memecoin contracts do not have token extension functions and are the simplest SPL tokens.

Therefore, there is no privileged address that can use Permanent Delegate, TransferFee and other functions in the token extension to do evil and cause losses to users when they participat in memecoin tradings.

$Cheems Controversy

On November 25, Binance announced the listing of $Cheems contracts. $Cheems’ price rose 35% and then plummeted more than 60% in less than a minute , causing a lot of controversy in the community.

Analyzing the $Cheems token transaction on the chain, we can find that the address of the great token selling is 0xbb8365B1BA2462ffDce9C894Ada84478f474Fefc. The address is analyzed through Beosin KYT, and the results are shown in the figure:

On November 25, the address sold 331.2 billion $Cheems in 1 minute through Pancakeswap and OKX DEX aggregator, and obtained 406.21 $BNB , and then deposited all the $BNB in the address into Binance.

Although many users question whether this address is an “insider trading”, it may be a smart money address with multiple buy and sell transactions:

Since November 18, the address has started to build a position of $Cheems, and has been selling continuously during the process. On November 18, the address first purchased about 131 billion $Cheems, and 4 hours later, it sold 41.3 billion $Cheems. On November 21, the address also withdrew 379.5 billion $Cheems from the Gate.io exchange, and 2 hours later, it sold 175.8 billion $Cheems on the chain . On November 22 and 23, there were also large purchases and partial sales. The overall flow of funds is shown in the figure below:

The relevant address in this incident is

0xbb8365b1ba2462ffdce9c894ada84478f474fefc

0x0d0707963952f2fba59dd06f2b425ace40b492fe

0xbff62cee932fe7496a88c9193e9ba3fd5eeff46d

In addition to platform risks and on-chain PVP, users may also encounter “Pixiu” scams when trading memecoins. Previously, Beosin has helped users understand this type of scam and preventive measures with cases. The following is a more comprehensive summary of memecoin-related scams:

Fake tokens

A large number of new memecoins are launched every day, and it seems that there are opportunities to get rich everywhere. In fact, there are endless imitation projects, and it is difficult for users to distinguish which one is the right token to trade.

Many memecoin deployers will copy the names and token logos of popular projects and create token contracts with the same names . Users may mistakenly enter imitation projects, or even scam platforms or honeypots because they do not carefully check the contract addresses of tokens, resulting in the inability to sell tokens.

In addition, the dispute between the crypto community and the token issuer over the capitalization of memecoin has also led to the surge and plunge of the prices of related tokens. The recent disputes and price fluctuations between $NEIRO and $neiro, $ELIZA and $eliza show the extremely high risk of memecoin. Users need to understand the relevant memecoin information, community feedback and be careful of project parties manipulating the market through news.

Restricted Selling

When users buy memecoins, they may have encountered scams like honeypots, where the purchased tokens cannot be sold or are difficult to sell. The following are common ways that scammers restrict users from selling through contract codes:

(1) Blacklist/Whitelist

The token issuer can set up a blacklist/whitelist function in the token contract to restrict token transactions . For example, if a user address is added to the blacklist, the user may not be able to call transfer() or transferFrom() in the token contract to transfer tokens.

(2) Modify balance

The token issuer can also manipulate the user’s token balance through smart contracts and change the user’s token balance to an extremely low value. If the balance update is only recorded inside the contract, the victim can still see the tokens he holds on the blockchain browser, but he cannot actually sell more tokens than the contract records. If the victim’s balance is updated on the chain, the user will find that the memecoin he purchased has decreased or even has a balance of 0.

The following is an example of Solidity code that sets the balance of a blacklisted address to 0:

In addition to the EVM ecosystem, Solana also has a similar function for modifying balances - the Permanent Delegate extension of the token program:

Permanent Delegate is Solana’s official extension of token functionality. Administrators have the right to transfer or destroy tokens at any time . Its purpose is to apply to some application scenarios, such as token recycling and stablecoin supervision. When creating a token, the creator can use the createInitializePermanentDelegateInstruction instruction to initialize the permanentDelegate.

Since the Permanent Delegate has too much authority, some hackers use this extension to issue tokens, attract users to buy their tokens, and then profit from them by destroying or transferring them:

(3) Transaction threshold

After users buy certain memecoins, they cannot sell them because there is a strict selling threshold in the contract: users are required to exceed the set number of tokens (and this number of tokens far exceeds the user’s token holdings) before they can sell or a high transaction tax must be deducted.

As shown in the code example below, the contract developer can change the amountToBurn parameter to set the transaction tax. When the parameter is set to 2, 50% of the token amount will be deducted from the user’s transaction.

Solana’s token extension also has a TransferFee function , which is used to collect taxes on each transaction of the token. To configure TransferFee, you need to set the following fields:

● Fee in basis points: The fee charged for each transfer, in basis points

● Maximum fee: The upper limit of transfer fee

● Transfer fee authority: can modify the TransferFee address

● Withdraw with held authority: The address to which the tokens with held in the token account can be transferred

Due to the existence of a transfer fee cap, the method of setting transaction taxes to implement the Pi Xiu disk in Solana is not commonly used. It is more common for users to suffer losses through token transfers or token destruction.

(4) Suspension of Trading

The issuer of the token can control the pause state of the contract in the contract to restrict the transaction of the token . Once the contract enters the pause state, the transfer function of the contract will be unavailable and users will not be able to trade.

For example, in the Solidity code example below, the transfer will only call _update to update the user balance when the contract is not in a suspended state.

(5) Minimum holding time

After a user purchases memecoin, they must hold it for a minimum period of time before they can trade it again. However, this period is set by the issuer of the token and can be modified at will. They can modify the minimum holding time to a very large value so that users cannot trade.

For example, in the following Solidity code example, the transfer must satisfy the current transfer time greater than or equal to the user’s last update time + the delay time set in the contract.

Unique fees

After users purchase memecoin, no fee will be charged when trading with other users. However, when selling through DEX (such as Uniswap), a handling fee will be charged. In addition to selling, the income of users adding liquidity or participating in staking will also be affected.

For example, in the Solidity code example below, token transactions will be taxed only when the to address is a contract address.

Or the handling fee is not deducted from the transfer amount, but is additionally reduced from the sender’s balance. If this method is not handled properly, it will seriously affect the price in DEX and cause the token value to return to zero.

Issuance of additional tokens

Issuing additional tokens is a common way to implement Rug Pull. Because the owner of the token contract or the privileged address has the right to mint coins, they can make a profit by issuing additional tokens and selling them. This is a common potential risk in the EVM ecosystem, Solana, and TON. The following is the mint function of a Jetton token of TON, which has an additional issuance mechanism:

Centralized Token Distribution

The problem of token distribution centralization is a common risk in blockchain projects. Most of the token supply is controlled by the project team, which can manipulate key decisions in on-chain governance through token voting or manipulate market prices through large-scale transactions to affect users’ assets.

As shown in the Solidity code below, when the token is deployed, the total amount of all tokens will be allocated to the deployer of the contract.

Proxy upgrade

The proxy upgrade mode used in token contracts is a common smart contract design mode. It can realize the upgrade of logic through proxy contracts without changing the data structure of storage contracts. Although this mode brings flexibility, it also has some potential risks and hazards. The issuer of the token can change the contract logic at will, resulting in the loss or theft of the token holder’s assets.

As shown in the Solidity code below, the Admin of the contract can modify the address of the contract implementation. Once it is modified to an incorrect contract or even a malicious contract, it will lead to the loss or theft of user assets.

How to avoid scams?

There are endless scams in the Memecoin craze. If users are not careful, they are likely to fall into related scams and lose their funds. Therefore, the Beosin security team recommends users to:

1. Be rational about Memecoin’s get-rich-quick effect and KOL publicity effect. After a new token is listed on DEX, users need to remain rational, avoid FOMO, and avoid blindly following the trend.

2. Don’t trust “inside information” or “confidential information .” These are usually scams that set traps to lure users into taking risks and investing without screening and researching the information.

3. Before purchasing tokens, users should check the following key points:

● Is the token contract open source?

● Is there an audit report?

● Is there a blacklist/whitelist mechanism?

● Is there a transaction tax? How is the transaction tax collected?

● Is there a pause mechanism?

● Whether there are special mechanisms such as limiting transaction volume, minimum holding amount, shortest holding time, etc.

● Are the functions that the contract owner can call too high?

● Whether the contract uses the proxy mode

● How to manage the owner rights of the contract, whether to over-sign or give up

Beosin has previously conducted detailed security audits on multiple memecoin launch platforms and token contracts, including Tokr.fun, Pumpup, and Pump404, to ensure the security of their contract codes, the correctness of business implementation logic, and the security of project and user funds.

1. Many trading platforms and risk monitoring tools will list token contract detection items for users. Referencing this information will help users improve the accuracy of identifying scams. Users can refer to the detection results of multiple security tools before trading . The following are commonly used risk detection tools:

● Honeypot: https://honeypot.is/

● Token Sniffer: https://tokensniffer.com/

● OKX: https://www.okx.com/zh-hans/web3/dex-market

● GoPlus: https://gopluslabs.io/token-security

● De.Fi: https://de.fi/scanner

● Beosin Alert: https://chromewebstore.google.com/detail/beosin-alert/lgbhcpagiobjacpmcgckfgodjeogceji

Summary

In this article, we summarize the common ways of memecoin-related scams. From this, we can see that although memecoin is full of opportunities and possibilities, it is also accompanied by various traps. Users must maintain a high degree of vigilance and caution in memecoin transactions to reduce the risk of capital loss. In the world of Web3, security always comes first.

Disclaimer:

1. This article is reprinted from [Beosin]. All copyrights belong to the original author [Beosin]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.