Basically, there's this interesting honeypot where an attacker will masquerade like a victim that has straight up rocks for brains and shares their seed phrase on social media:
Origin Story found on Double entry point issues by @holajotola.
Once the address is derived, consulting the block explorer will reveal an EOA that has some ERC-20 balance, but no underlying ether to cover the cost of taking the tokens out.
Would-be attackers, now incensed in by the promise of free tokens, will attempt to donate a little ether to cover the cost of exfiltrating the tokens via the public mempool.
However, the deployer is smarter than they are.
They're monitoring the mempool for pending donations and will immediately backrun the donation transaction with a transfer to their own address. This allows the attacker to make off with the donation and for the ERC-20s to remain inside the EOA to tempt the next sucka.
This whole attack works because no-one is going to go to the effort of writing a Flashbots transaction bundle to atomically transfer the ether and withdraw the tokens... right?
Well, that's where no-u-honeypot comes in.
git clone [email protected]:cawfree/no-u-honeypot.git
cd no-u-honeypot
cp .env.example .env # add required variables
yarn
yarn eat "alarm fetch churn bridge exercise tape speak race clerk couch crater letter" # take the tokensbtw you might also like
piggyback, a poison erc20 deployer