One of the most exciting things about the Ethereum ecosystem is how it is absolutely exploding with tokens and new projects, all the time. Not all those projects are created in good faith, and even those that are can have some unintended consequences you should be aware of.
Keep the following token safety practices in mind on the decentralized web:
- Anyone can mint a token and name it any way they like. This means there are many malicious tokens disguised as popular tokens, so double-check that the token you're about to swap is the one you mean to swap. One way to ensure this is to verify the token address.
- Risk of loss: token prices fluctuate, so the value of a token could drop dramatically after you acquire it. This means that before you acquire a token, you need to do some research. One thing to consider is the longevity of the project or asset: has it been around for a significant amount of time, or is it something that appeared out of nowhere and is skyrocketing in value?
Scammer Spotlight: Rugpulls
Traditional scams such as pyramid schemes have made their way into the decentralized economy, and are often referred to as rugpulls: when the creator(s) of a token hype up their project and quickly invest a lot of liquidity into the token in order to create eye-catching growth, only to pull all value out of the token once they reach their goal value, leaving investors who didn't know the "dump" was coming with nothing. Simply put, do your due diligence and only invest in projects that you trust.
- Some projects do not have customer support. This is due to the decentralized nature of the ecosystem: if a project runs based on a set of programmatic protocols, there may be no one keeping track of user accounts, problems, etc. In such cases, look to see if the project has a community on GitHub, Discord, Slack or another platform where you may be able to find more information.
- A common practice in the ecosystem is airdropping. Again, this often happens around the launch of a project, when the project's proponents are trying to generate interest — the 'airdrop' itself consists of gifting any number of tokens to any number of Ethereum wallet addresses. This means you could end up with tokens that you don't know about; even in this case, exercise due caution if you intend on transferring, spending, or cashing out the tokens. Just because you didn't pay for a token, and someone dropped them into your wallet, doesn't mean you should blindly use them. Make sure you understand the token and what you're going to do with it.
Featured Phishers: Airdrop Scams
Airdrops have been around for a long time (in blockchain time, that is), and while they have plenty of legitimate uses, they can be used to artificially create interest in a non-meritorious project (see the Rugpulls section above) or, more nefariously, can be used to phish unwary users.
If you see some tokens in your wallet that you didn't buy, say on Etherscan, don't immediately jump to swap them; do some research first. A common setup for an airdrop scam is that the tokens won't swap — instead, the token will reroute the user to a website where they have to enter personal information, even their Secret Recovery Phrase, in order to allegedly cash out their tokens.
Don't give your Secret Recovery Phrase to anyone or any website, even one that is promising you tokens or cryptocurrency in return.
For an example of how one of these scams works, here's a helpful video.
We recommend you keep a close eye on the tokens associated with your account(s); for more information on adding tokens, and managing them, see here. If you do have scam tokens airdropped to your account, just leave them there; as we've indicated, often it's trying to do something with the tokens that ends up hurting you.
We have a more in-depth article on rugpulls and airdrop scams available here.