[leppr]

Interesting, it might use a flaw in the Etherescan contract verification[1]. But in any case, when you expect a honeypot you can and should execute the contract off-chain[2] and examine the resulting state (specifically your account balances) before committing a real transaction. Wallets should really do this by default, but unfortunately there doesn't seem to be a lot of resources available for common goods projects like wallets, so we are stuck with primitive tools.

[1]: Like this Unicode RLO exploit for instance: https://krebsonsecurity.com/2021/11/trojan-source-bug-threat...

[2]: https://tenderly.co or mainnet forking using hardhat are convenient ways to achieve this.

[stavros]

That's a great tip, thanks! I will relay it, as I don't know much about Ethereum. Can you download and redeploy the compiled contract?

[pcthrowaway]

This might be the same bug reported and fixed in the Ethereum pinball article I shared

[stavros]

Yeah, definitely sounds very similar, at least.

[leppr]

Yes, you can always clone and redeploy any contract with its raw EVM code.

[stavros]

Thank you for this tip, which is very concretely worth 1 ETH.