Common On-Chain Attacks: Recognize the Real Risks
A practical guide to rug pulls, phishing approvals, drainer contracts, flash-loan attacks, exit scams, sandwich attacks, and private-key theft.
Overview
On-chain scams use many names, but most rely on a small set of mechanisms: control the contract, trick the user, manipulate the market, or steal the key. Learning the mechanism is more useful than memorizing project names.
1. Rug Pull
A rug pull happens when a project team removes the value that supports a token or uses privileged contract controls against holders.
Common forms include:
- Removing liquidity from a DEX pool
- Minting a large number of new tokens and selling them
- Using owner-only controls to block users from selling
Warning signals: anonymous team, unverified source code, unlocked liquidity, aggressive guaranteed-profit claims, and a community dominated by automated accounts.
2. Phishing Approval
A phishing site or fake contract imitates a legitimate service and asks you to approve token spending. The interface may look familiar, but the spender address belongs to the attacker.
Protect yourself:
- Open projects from trusted bookmarks or verified official channels.
- Check the domain carefully.
- Read the wallet prompt and identify the spender.
- Avoid unlimited approvals when a limited amount is enough.
3. Drainer Contract
A drainer is designed to move assets out of a wallet after the user signs a transaction, approval, or permit. Some drain fungible tokens; others target NFTs or multiple asset types.
Warning signals: unexpected approval requests, broad permissions, unverified contracts, rushed claims, and links sent through unsolicited messages.
4. Flash-Loan Attack
A flash loan lets an attacker borrow a large amount of capital and repay it within one transaction. Attackers may use that temporary capital to manipulate prices, exploit weak oracle designs, or trigger accounting errors.
Users can be harmed when their funds are deposited in the affected protocol, even if they never interact with the attacker directly.
5. Exit Scam
An exit scam is a slower disappearance. The team reduces updates, stops fixing problems, withdraws support, and eventually abandons the project or its users.
Warning signals: declining development activity, unanswered security issues, disappearing team members, and unexplained treasury movements.
6. Sandwich Attack
In a sandwich attack, a bot sees a pending swap, trades before it to move the price, lets the victim trade at the worse price, and then trades again for profit.
Reduce exposure: use reasonable slippage settings, avoid very large swaps in shallow pools, and use MEV-protected transaction routes when available.
7. Private-Key Theft
If an attacker obtains your private key or seed phrase, they control the wallet. No token scanner can reverse that.
Never:
- Enter a seed phrase on a website
- Share a private key with support staff
- Store seed phrases in cloud photos or chat messages
Use a hardware wallet for valuable long-term holdings and consider multisig for shared or high-value funds.
A simple security checklist
| Signal | Interpretation |
|---|---|
| Verified contract source and credible audit | Better transparency, not a guarantee |
| Long operating history and active development | Lower uncertainty |
| Unverified contract or hidden owner powers | Review carefully |
| Guaranteed-return marketing or urgent pressure | Avoid |
| VaultScope flags a token or approval risk | Investigate before interacting |
VaultScope’s limits
VaultScope can help identify honeypots, high taxes, unverified contracts, suspicious approvals, and known malicious addresses. It cannot measure a team’s honesty, predict every future exploit, or protect a leaked private key.
Your final defense is deliberate behavior: verify first, approve less, and do not let urgency make the decision for you.