Risk Categories

Risk findings from the Webacy Risk Score can be largely classified into a few categories. This page describes those categories, as well as which risk tags contribute to them.

Bad Practices

key: "poor_developer_practices"

name: "Bad Practices"

description:

While these don't indicate malevolence or necessarily destructive logic, these compose bad development practices for the smart contract.

tags:

SWC_115, SWC_118, SWC_119, SWC_123, SWC_124, SWC_125, SWC_126, SWC_127, SWC_128, SWC_129, pess_before_token_transfer, reusing_state_variable, shadowing_local, incorrect_inheritance_order, obsolete_calls, pess_event_setter, pess_only_eoa_check, pess_for_continue_increment, pess_inconsistent_nonreentrant, pess_uni_v2, pess_magic_number, pess_multiple_storage_read, pess_public_vs_external, pess_strange_setter, pess_unprotected_setter, shadowing_abstract, tautological_compare, tautology, write_after_write, boolean_cst, var_read_using_this, immutable_states, external_functions, constable_states, cache_array_length, pess_dubious_typecast


key: "contract_brickable"

name: "Brickable Contract"

description:

This leaves the potential for the contract to be bricked, stopped with no way of starting it back up.

tags:

pess_double_entry_token_alert, SWC_124, locked_ether, suicidal, selfdestruct, incorrect_shift, controlled_array_length, return_leave, msg_value_loop, array_by_reference, unprotected_upgrade, pess_tx_gasprice, pess_dubious_typecast, pess_for_continue_increment, pess_unprotected_setter, missing_zero_check


key: "governance_issues"

name: "Contract Governance"

description:

Suspect logic in the smart contract for this asset indicates elevated governance risk. This means that the owner or creator has the ability to change elements of the smart contract that may affect the nature of your ownership of the tokens. Token scams like rugpulls typically exhibit signs of governance issues.

tags:

is_closed_source, centralized_risk_medium, centralized_risk_high, anti_whale_modifiable, is_anti_whale, slippage_modifiable, is_blacklisted, can_take_back_ownership, owner_change_balance, mint_low, mint_high, burn, pess_timelock_controller, mutable-metadata, data transfer_without_approval, privileged_burn, oversupply_minting, restricted_approval


key: "contract_issues"

name: "Contract Exploits"

gradedDescription:

  • high: Our detectors have found, with high certainty, that this smart contract has exploitable logic that can result in a loss of funds or manipulation. This is a serious risk and you should avoid interacting with this contract.

  • medium: Our detectors have found some logic in this smart contract that can cause a loss of funds if exploited. There is no immediate evidence that this logic was maliciously placed, but be careful.

  • low: Our detectors have found issues with this smart contract that may pose certain risks, but none are definitively exploitable.

tags:

encode_packed_parameters, centralized_risk_medium, centralized_risk_high, encode_packed_collision, external_dependencies, immutable_states, event_setter, reentrancy_without_eth_transfer, reentrancy_with_eth_transfer, reentrancy_with_same_effect, events_maths, k_value_error, unchecked_transfer, unsafe_modifier, for_dos, erc721_interface, unintended_arbitrage, SWC_111, SWC_112, SWC_113, SWC_117, SWC_121, SWC_122, SWC_128, SWC_130, pess_arbitrary_call, pess_arbitrary_call_with_stored_erc20_approves, pess_arbitrary_call_destination_tainted, pess_arbitrary_call_calldata_tainted, detect_integer_underflow, integer_underflow, integer_overflow:, arbitrary_transfer_to, arbitrary_transfer_from, pess_call_forward_to_protected, pess_double_entry_token_alert, pess_dubious_typecast, pess_ecrecover, pess_nft_approve_warning, pess_readonly_reentrancy, pess_tx_gasprice, pess_aave_flashloan_callback, pess_unprotected_initialize, unprotected_upgrade, arbitrary_send_erc20_permit, arbitrary_send_eth, controlled_array_length, controlled_delegatecall, delegatecall_loop, incorrect_exp, incorrect_return, msg_value_loop, reentrancy_eth, return_leave, domain_separator_collision, incorrect_equality, locked_ether, mapping_deletion, divide_before_multiply, reentrancy_no_eth, tx_origin, unchecked_lowlevel, unchecked_send, uninitialized_local, pess_uni_v2


key: "contract_reported"

name: "Contract Reported"

description:

This smart contract or wallet address has been flagged in one or more databases. These flags are usually early warnings of various issues that can potentially become more serious later if not resolved.

tags:

valid_report


key: "fraudulent_malicious"

name: "fraudulent_malicious"

graded description:

  • high: The smart contract/address in this transaction has been used in and is associated with confirmed fraud and malicious activity, or the asset is a known malicious token. Interacting with it may also cause your address to be marked as fraudulent.

  • medium: Elements of the smart contract in this transaction can be used a fraudulent and malicious fashion, or the address in this transaction has been involved in some risk activity.

  • low: Properties of this transaction indicate the possibility of nefarious activity, but we have not detected anything that would constitute elevated risk.

tags:

illegal_unicode, hidden_owner, is_honeypot, honeypot_with_same_creator, is_airdrop_scam, selfdestruct, is_fake_token, mixer, fake_kyc, cybercrime, sanctioned, blacklist_doubt, financial_crime, stealing_attack, money_laundering, phishing_activities, blackmail_activities, is_blacklisted, is_whitelisted, darkweb_transactions, honeypot_related_address, malicious_mining_activities, number_of_malicious_contracts_created, exploitation, contract, minter-rugged, minter-multiple-rugged, owner-rugged, owner-multiple-rugged, update-authority-rugged, update-authority-multiple-rugged, non-transferable, not-renounce, freezeable, mintable, minted-less-than-10-minutes, minter-hacker, minter-ofac, minter-drainer, minter-fixedfloat, minter-simpleswap, minter-mixer, minter-fundflow-hacker, minter-fundflow-ofac, minter-fundflow-drainer, minter-fundflow-fixedfloat, minter-fundflow-simpleswap, minter-fundflow-mixer, owner-hacker, owner-ofac, owner-drainer, owner-fixedfloat, owner-simpleswap, owner-mixer, owner-fundflow-hacker, owner-fundflow-ofac, owner-fundflow-drainer, owner-fundflow-fixedfloat, owner-fundflow-simpleswap, owner-fundflow-mixer, update-authority-hacker, update-authority-ofac, update-authority-drainer, update-authority-fixedfloat, update-authority-simpleswap, update-authority-mixer, update-authority-fundflow-hacker', update-authority-fundflow-ofac, update-authority-fundflow-drainer, update-authority-fundflow-fixedfloat, update-authority-fundflow-simpleswap, update-authority-fundflow-mixer, impersonator: true, known-malicious-token, minted-less-than-1-hour, top-10-holders-rugged, top-10-holders-multiple-rugged, top-10-holders-hacker, top-10-holders-ofac, top-10-holders-drainer, top-10-holders-fundflow-hacker, top-10-holders-fundflow-ofac, top-10-holders-fundflow-drainer, top-10-holders-fundflow-fixedfloat, top-10-holders-fundflow-simpleswap, top-10-holders-fundflow-mixer, mutable-metadata


key: "financially_lopsided"

name: "Financially Lopsided"

description:

Components of this smart contract are flagged for having business logic that is potentially financially lopsided, meaning that you are likely to lose your funds due to an intentional component that the originator of the smart contract of the project or token has implemented.

tags:

buy_tax, sell_tax, centralized_risk_low, centralized_risk_medium, centralized_risk_high, front_running_low, front_running_medium, front_running_high, price_manipulation_low, price_manipulation_medium, price_manipulation_high, slippage_modifiable, owner_change_balance, mint_low, mint_high, burn, locked_ether, top-10-holders-own-90-percent, minter-own-90-percent, owner-own-90-percent, update-authority-own-90-percent, top-10-holders-own-50-percent, minter-own-50-percent, owner-own-50-percent', update-authority-own-50-percent


key: "improper_signature_validation"

name: "Improper Signature Validation"

description:

This contract fails to do proper signature validation and can be subject to signature reuse.

tags:

SWC_117, SWC_121, SWC_122, pess_ecrecover, pess_only_eoa_modifier


Miner Manipulable

key: "miner_manipulable"

name: "Manipulable By Validators/Miners"

description:

Logic is manipulable by MEV and should you choose to interact with it, do so with caution.

tags:

SWC_114, front_running_low, front_running_medium, front_running_high, SWC_116, SWC_120, weak_prng, timestamp


Contract Possible Drainer

key: "possible_drainer"

name: "Possible Drainer Contract"

description:

Our detectors have found that this smart contract has exploitable logic that can be used to drain funds. This is a serious risk and you should avoid interacting with this contract.

tags:

centralized_risk_medium, centralized_risk_high, external_dependencies, drainer, pess_token_fallback, pess_tx_gasprice, unchecked_lowlevel, unchecked_transfer, unchecked_send, arbitrary_send_erc20, arbitrary_send_erc20_permit, arbitrary_send_eth, pess_nft_approve_warning, minter-drainer, minter-fundflow-drainer, owner-drainer, owner-fundflow-drainer, update-authority-drainer, update-authority-fundflow-drainer, top-10-holders-drainer, top-10-holders-fundflow-drainer


Spam / Sybil

key: "address_characteristics"

name: "Spam"

description:

This address may have risk factors related to address age, number of transactions, or balance. It may be newly created, or doesn't sufficiently pass Webacy's KYW (Know Your Wallet) criteria.

tags:

insufficient_wallet_age, insufficient_wallet_balance, insufficient_wallet_transactions

Last updated