Cover Image for How to Perform Smart Contract Vulnerability Scan with Bitquery​

How to Perform Smart Contract Vulnerability Scan with Bitquery​

Smart Contract
Blockchain
Threat Analysis

In this comprehensive article, we're going to explore some key metrics to consider when analyzing smart contracts. We'll cover things like mint burn functions, token creation history, liquidity, blacklist functionality, token holders, and dump risk factors.

Why Perform Smart Contract Vulnerability Checks?

Immediate Financial Loss

  • Direct Theft: Attackers can steal funds directly if they exploit vulnerabilities like unchecked external call vulnerability, leading to significant immediate financial losses. Set up a monitoring system that uses Bitquery's real-time calls and events feeds to keep an eye on your smart contracts. This can help you proactively identify and mitigate potential risks.

  • Devaluation: The token or asset associated with the compromised smart contract might devalue quickly as investors lose confidence.

Long-Term Credibility Damage

  • Loss of Trust: Users' trust is hard to gain and easy to lose. A security breach can lead to a permanent loss of trust in the protocol and its developers.

  • Reputational Damage: The project's reputation may suffer significantly, which can deter new users and investors from adopting the technology or investing in the project.

  • Investor Relations: Existing investors might pull out their support, and attracting new investment could become more challenging.

  • Community Support: The open-source community and broader ecosystem may become less willing to contribute or support the project after a security incident.

Legal and Regulatory Consequences

  • Regulatory Scrutiny: A smart contract attack could attract unwanted attention from regulators, leading to fines or other legal actions.
  • Lawsuits: Affected parties may file lawsuits against the project team, leading to additional financial and reputational damage.

How to Perform Smart Contract Vulnerability Analysis?

In this blog, we’ll perform a thorough smart contract analysis using Bitquery APIs taking a few token examples.

Token JRFnd

Let's take a look at JRFnd. Using Bitquery's APIs, we can analyze JRFnd's smart contract functions and events, identify potential vulnerabilities, and explore its tokenomics.

Token Address: 0x03dbf1c1084fdab7924a6ae0534211ee1a9015c7

Minting

Minting refers to the creation of new tokens within a smart contract. This can be done either by the contract owner or through pre-defined conditions in the code.

The contract does not have a mint function therefore no address can mint new JRFnd tokens.

Run the query here.

Burning

Burning is the opposite of minting, where tokens are permanently removed from circulation. This can be done by sending tokens to a burn address or through specific functions in the smart contract code

This token does not have a burn function which means you can burn liquidity directly. Instead, you might send it to the zero address and attempt to reduce the token circulations.Run the query here.

Date of Creation

The date of creation for this token is 2023-05-22. This token, being relatively new, may be susceptible to price manipulation.Run the query here.

Token Liquidity

Run the query here.

Here are some conclusions regarding the liquidity:

  • Volume Variation: There is a significant variation in daily trading volumes. For example, on "2023-05-26," there were 408 transfers with a total amount of 442,091,569,689.004, while on "2023-06-20," there was only 1 transfer with an amount of 1,216,097,281.9060373. Such variations might indicate fluctuating liquidity.

  • Higher Liquidity Days: Days with higher transfer counts and amounts, like "2023-05-23" and "2023-05-25," suggest higher liquidity. More transfers and larger amounts can be indicative of a more active and liquid market.

  • Lower Liquidity Days: Days with lower transfer counts and amounts, such as "2023-06-20" and "2023-07-02," might suggest lower liquidity. A single or a few transfers with relatively smaller amounts can indicate lower trading activity.

  • High-Volume Events: Specific events, such as on "2023-08-21" with three transfers totaling 1,736,113,800,668.7559, might represent significant transactions impacting liquidity.

Days like "2023-05-23" and "2023-05-25" have relatively high transfer counts whereas days such as "2023-06-20" and "2023-07-02" have lower transfer counts. The variability in the number of transfers and amounts across different days suggests fluctuations in liquidity.

Fig: Liquidity Analysis on the basis of Date and Transfer Count

Blacklist Function

All wallet addresses, regardless of their history or potential involvement in malicious activities, have the ability to transfer the token freely hence there is no mechanism or feature in place that allows for the prohibition or restriction of specific wallet addresses from conducting transfers of the particular token.Run the query here.

  1. Token Holders

Tracking the distribution and activity of token holders can provide valuable information about the demand for a token and its overall health. We will use Bitquery’s token holder API to get token whales. Run the query here.

Here are some observations based on the data:

  • Holder: 0x9d85f9295915ccc20fe7a15a2953843257b2640a

Balance: 797B

  • Holder: 0x03dbf1c1084fdab7924a6ae0534211ee1a9015c7

Balance: 142B

  • Holder: 0x2716aacf237f94534d617551f61880def72a8d14

Balance: 3B

  • Holder: 0x27b759fa2a620587d0e48fb34894ececbf265be6

Balance: 3B

  • Holder: 0x24a9ec3efd3baf121546fb51f23031e95178444a

Balance: 3B

A small number of top holders, especially the largest one (0x9d85f9295915ccc20fe7a15a2953843257b2640a), dominate the ownership of the token, with the top 10 holders collectively having a significant share.

Dump Risk

  • Holder: 0x9d85f9295915ccc20fe7a15a2953843257b2640a

Balance: 797B

  • Holder: 0x03dbf1c1084fdab7924a6ae0534211ee1a9015c7

Balance: 142B

  • Holder: 0x2716aacf237f94534d617551f61880def72a8d14

Balance: 3B

  • Holder: 0x27b759fa2a620587d0e48fb34894ececbf265be6

Balance: 3B

  • Holder: 0x24a9ec3efd3baf121546fb51f23031e95178444a

Balance: 3B

From the token holders distribution, the larger the percentage held by few entities. The greater the potential impact on the market if those entities decide to sell a significant portion of their holdings affects the price, hence the higher the dump risk.

Other Important Functions

The contract has other important functions that we need to know about.

  • MarketingWalletChanged Event: This call indicates a change in the marketing wallet address within the smart contract.

  • ExcludeFromFees Event: This call indicates an action related to fee exclusion for a specific address within the smart contract.

  • StakingAddressChanged Event: This call indicates a change in the staking address within the smart contract.

  • OwnershipTransferred Event: This call indicates the transfer of ownership between two addresses within the smart contract.

  • UpdateFees Event: This call indicates an update in fees, with two parameters represented by uint256 values, within the smart contract.

  • SwapAndSendMarketing Event: This function is responsible for allocating fees to the marketing wallet.

  • Approval Event: This call indicates an approval action involving addresses and a uint256 value.

  • Transfer Event: This call indicates a transfer of tokens between addresses, with associated uint256 values.

Run the query here.

Token XBOT

We will now review the list of metrics for the XBOT token.

Token: 0x53Bf63239B8C6354b81a8D235fB08e32FFBF22a9

Minting

Only authorized entities or addresses have the permission to mint new tokens, preventing potential misuse. Run the query here

Burning

No such transfer of tokens is detected to an address where they become inaccessible and are essentially taken out of circulation.Run the query here.

Date of Creation

The date of creation for this token is 2023-07-28.

This token, being relatively new, may be susceptible to price manipulation.Run the query here.

Token Liquidity

  • High Liquidity Days:

    • "2023-07-31" has a substantial number of transfers (7941) and a large total amount transferred (5,009,855,331,782.006), indicating high liquidity on this day.
    • "2023-08-01" also shows a significant number of transfers (2337) and a substantial total amount transferred (1,904,680,559,603.0498), suggesting continued high liquidity.

  • Decrease in Liquidity: As we move forward in time, the number of transfers and total amounts decrease, indicating a potential decrease in liquidity. For example, "2023-08-02" has fewer transfers and a lower total amount compared to the previous days.

  • Spikes in Liquidity: There are occasional spikes in liquidity, such as on "2023-08-28" with 8 transfers but a substantial total amount transferred (46,673,991,672.497635).

  • Low Liquidity Days: Days like "2023-11-02" and "2023-09-11" have a lower number of transfers and relatively small total amounts, suggesting lower liquidity on these days.

Run the query here.

In summary, the liquidity of the token appears to vary over time. Days with a high number of transfers and large total amounts suggest high liquidity, while days with fewer transfers and smaller total amounts may indicate lower liquidity. It's important to consider these observations in the context of the overall market conditions and any specific events that might have influenced liquidity.

Fig: Liquidity Analysis on the basis of Date and Transfer Count

Blacklist Function

Run the query here.

All wallet addresses, regardless of their history or potential involvement in malicious activities, have the ability to transfer the token freely hence there is no mechanism or feature in place that allows for the prohibition or restriction of specific wallet addresses from conducting transfers of the particular token.

Token Holders

Run the query here.

  • Holder: 0x434a722696C04bc32b06CeC805ce8323E43AFf28

Balance: 894.6B

  • Holder: 0x120051a72966950B8ce12eB5496B5D1eEEC1541B

Balance: 22.9B

  • Holder: 0x6635eCB26290fc4BbA9517314d32BA8E0758aAE1

Balance: 10.1B

  • Holder: 0x53Bf63239B8C6354b81a8D235fB08e32FFBF22a9

Balance: 8.8B

  • Holder: 0x08E25298f4401dB8782a93761293e6a2ec9b9409

Balance: 8.6B

The total supply of the token is 1 trillion (1T). The top 10 holders collectively own 95% of the total token supply which means they can move the price as they wish. The owner's holdings indicate a negligible amount (≈0.001%) of the total supply, similar to the creator’s holdings as well.

Dump Risk

  • Holder: 0x434a722696C04bc32b06CeC805ce8323E43AFf28

Balance: 894.6B

  • Holder: 0x120051a72966950B8ce12eB5496B5D1eEEC1541B

Balance: 22.9B

  • Holder: 0x6635eCB26290fc4BbA9517314d32BA8E0758aAE1

Balance: 10.1B

  • Holder: 0x53Bf63239B8C6354b81a8D235fB08e32FFBF22a9

Balance: 8.8B

From the token holders distribution. The larger the percentage held at various addresses, the greater the potential impact on the market if this entity decides to sell a significant portion of their holdings, hence indicating a high dump risk.

Other Important Functions

The contract has other important functions that we need to know about. Run the query here.

  • RoleGranted: This call indicates the granting of a role within the smart contract. The low count (3) suggests that there have been relatively few changes in roles within the contract.

  • High Transfer Count: The large number of transfer events (12318) may indicate active trading or token movement. Depending on the context, this could pose a dump risk if there's a sudden and significant increase in token transfers, potentially leading to a decline in token value.

  • Frequent Approval Actions: The high count of approval events (2210) suggests that users are interacting frequently with DApps or other smart contracts, possibly for token-related activities. While not inherently indicative of dump risk, it's essential to understand the purpose of these approvals.

  • Role Changes and Ownership Transfers: The infrequent occurrences of RoleGranted and OwnershipTransferred events (both with a count of 3) suggest stability in terms of roles and ownership changes. This can be positive for the project's governance and stability.

Token LOTTO

We will now review the list of metrics for the LOTTO token.

Token: 0x26F0d12C521EAc43007c7E6A49cB4503399d5070

Minting

The contract does not have a mint function therefore no address can mint new LOTTO tokens.Run the query here.

Burning

This token does not have a burn function which means you can burn liquidity directly. Instead, you might send it to the zero address and attempt to reduce the token circulations. Run the query here.

Date of Creation

The date of creation for this token is 2023-05-22.

This token, being relatively new, may be susceptible to price manipulation.Run the query here.

Token Liquidity

Run the query here.

  • High Liquidity Indicators: On "2023-05-26" and "2023-05-25," there is a relatively high number of transfers (242 and 184, respectively) and larger total amounts transferred (approximately 82.8 million and 73 million, respectively). Higher numbers of transfers and larger amounts generally suggest higher liquidity.

  • Low Liquidity Indicators: On some dates, there are fewer transfers and smaller amounts, for example, on "2023-06-04" with only 1 transfer and approximately 61,851.95. Lower numbers of transfers and smaller amounts may indicate lower liquidity.

On some days, there is a notable level of activity and larger amounts transferred, indicating higher liquidity. However, on other days, the activity is lower, suggesting potentially lower liquidity. Hence variable liquidity.

Fig: Liquidity Analysis on the basis of Date and Transfer Count

Blacklist Function

All wallet addresses, regardless of their history or potential involvement in malicious activities, have the ability to transfer the token freely hence there is no mechanism or feature in place that allows for the prohibition or restriction of specific wallet addresses from conducting transfers of the particular token. Run the query here.

Token Holders

Run the query here.

  • Holder: 0x5EEF8822646108a6f6Ed24D5254Df9197F8D07aE

Balance: 5M

  • Holder: 0x7BFeF0e6d6B5Cdbd1Db6Bb1b94c303FD7F650FA9

Balance: 1.35M

  • Holder: 0xE26cd9C267B002C9DfBd3e933145F09fe2C36968

Balance: 1.34M

  • Holder: 0x7439C59A7A176C05ECAAC2F73B6B8A5D853D7E4D

Balance:1.34M

The total supply of the token is 100 million. The top 10 holders collectively possess 74% of the total token supply. Some addresses hold more than 50% of the total holdings. The owner's holdings are approximately 0.001% of the total supply and the creator's is 5.3%.

Dump Risk

  • Holder: 0x5EEF8822646108a6f6Ed24D5254Df9197F8D07aE

Balance: 5M

  • Holder: 0x7BFeF0e6d6B5Cdbd1Db6Bb1b94c303FD7F650FA9

Balance: 1.3M

  • Holder: 0xE26cd9C267B002C9DfBd3e933145F09fe2C36968

Balance: 1.3M

  • Holder: 0x7439C59A7A176C05ECAAC2F73B6B8A5D853D7E4D

Balance:1.3M

The top 10 holders collectively possess 74% of the total token supply, which means that if they decide to sell the price will shift in that direction and greater the dump risk by other holders.

In this blog, we have explored the process of conducting a smart contract threat scan using Bitquery APIs by analysing 3 different smart contracts. We have seen how tokenomics and token holder distribution can indicate the potential for growth or decline of a token. We have also discussed the crucial role of regular auditing and continuous monitoring in ensuring the security and stability of smart contracts.

Blog written by guest author Nikita M

Subscribe to our newsletter

Subscribe and never miss any updates related to our APIs, new developments & latest news etc. Our newsletter is sent once a week on Monday.