MASK Token Unsellable

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

MASK Token

In anticipation of a new MASK token which was to be released by MetaMask, a scam token was created also called MASK. The token was structured so that the ability to sell it would stop working over time, through a modification to the smart contract. It is reported that 462 ETH was spent purchasing the tokens. Much of the proceeds/profits were taken out through TornadoCash, and there is no indication that any affected users will obtain a recovery of their lost funds.

This is a global/international case not involving a specific country.^[1][2][3][4]

About MASK Token

"The person or persons who created these fakes almost deserves credit for being cunning enough to superimpose what looks like a real OpenSea verified blue check mark on the stolen Hashmasks logo inside the logo’s border (see below). They link to the real Hashmasks website and Discord and are betting people won’t notice the extra apostrophe after “Hasmasks.” Another tell is, this sham collection is on Polygon."

"The scammer was able to manipulate DEXTools into showing a blue tick verification and pop-up which displayed the token as legitimate."

"Hackers injected malicious code into the description of the token that the website executed, resulting in a much-anticipated blue "Verified" badge displayed next to WETH/MASK pair."

The Reality

"Then came the actively malicious $MASK scam, capitalising on the hype generated by the above examples, and speculation on whether MetaMask would release its own token." "[A] token was issued by “MaskDAO”, the website was registered yesterday, December 27th."

A scam token named MASK has emerged in the Ethereum community, falsely impersonating the governance token of the popular wallet MetaMask. The scam involves a token that can only be purchased but not sold, closely resembling MetaMask's governance token "Mask," which has not actually been issued yet^[5].

Reports indicate that many users have fallen victim to this scam, buying the fraudulent token but then being unable to sell it. One Twitter user shared a transaction history of someone who bought MASK for a significant amount of ETH but is now unable to sell it at any price^[5].

Around 400 victims have been identified through Etherscan, and the scam token is associated with "MaskDAO," a questionable entity that registered its website on December 27^[5].

The scammers behind the MASK token managed to attain a verification badge on the popular DeFi application DexTools by injecting malicious code into the token's description on the website. This caused a "Verified" badge to appear next to the WETH/MASK pair, making it seem more legitimate^[5].

Furthermore, the token's sell option was locked after around $1 million in liquidity was injected into it. The fraudulent nature of the token has led it to be labeled as a "honeypot" by automated analytic systems due to code that prevents it from being sold^[5].

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

^[9]

"The person or persons who created these fakes almost deserves credit for being cunning enough to superimpose what looks like a real OpenSea verified blue check mark on the stolen Hashmasks logo inside the logo’s border (see below). They link to the real Hashmasks website and Discord and are betting people won’t notice the extra apostrophe after “Hasmasks.” Another tell is, this sham collection is on Polygon."

"The scammer was able to manipulate DEXTools into showing a blue tick verification and pop-up which displayed the token as legitimate."

"Hackers injected malicious code into the description of the token that the website executed, resulting in a much-anticipated blue "Verified" badge displayed next to WETH/MASK pair."

"Mr. @cobynft revealed that the sell option was locked after $1 million in liquidity was injected into MASK. Right now, the token is labeled as a "honeypot" by automatic analytic systems due to its code including the line that does not allow selling it."

"As crypto enthusiast @cobynft explained, MASK token issuers used a trick to get verification badges for the popular DeFi app DexTool."

“Hackers added malicious code to the description of the token displayed by the website, resulting in the highly anticipated blue ‘Verified’ badge next to the WETH / MASK pair,” he said.

"After users piled in, 462 ETH was pulled from the Uni v2 pool. The contract also included fees on transfer which were sent directly to this address." "127 ETH of which have since been sent on to another address, and then to Tornado Cash." "According to Etherscan, the actual number of victims of this scam could be closer to 400."

Total Amount Lost

"After users piled in, 462 ETH was pulled from the Uni v2 pool. The contract also included fees on transfer which were sent directly to this address." "127 ETH of which have since been sent on to another address, and then to Tornado Cash." "According to Etherscan, the actual number of victims of this scam could be closer to 400."

The total amount lost has been estimated at $1,865,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

"Today, on Dec. 28, Ether holders started reporting a new "honeypot contact," i.e., a token that you can only buy but not sell. The scam impersonates MetaMask's governance token, Mask, which has not been issued yet."

LindyApe/Jeremy Tweet

^[6]

"User Jeremy shared a screenshot of the transaction history of an Ether holder who bought MASK for 22 ETH (nearly $ 88,000) and was unable to sell it afterwards."

"Really depressing. Dude tries to ape a coin 7 times upping ante each time. Fails each time. Gets in his entire net worth on the last go. Coin was a fake metamask token. Dextools exploit. Unsellable. What you're seeing here is a star going out."

"It seems that some traders are able to make a sale in the first few hours. But then it got worse and people started to realize they were being betrayed."

"Mr. @cobynft revealed that the sell option was locked after $1 million in liquidity was injected into MASK. Right now, the token is labeled as a "honeypot" by automatic analytic systems due to its code including the line that does not allow selling it."

"As crypto enthusiast @cobynft explained, MASK token issuers used a trick to get verification badges for the popular DeFi app DexTool."

“Hackers added malicious code to the description of the token displayed by the website, resulting in the highly anticipated blue ‘Verified’ badge next to the WETH / MASK pair,” he said.

^[7]

Warning: the $MASK and $META tokens are scams, one of which apparently can drain your wallet. Don't interact with them. I've seen some accounts with 50k + followers promoting it for over a week -- they're getting paid. Block them if you're following anyone promoting it.

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

In recent days, there has been a mixture of excitement and controversy surrounding the SOS, MASK, and GAS token airdrops. Unaffiliated groups and individuals have initiated decentralized autonomous organizations (DAOs) to attract communities through token airdrops^[3].

The trend began with OpenDAO, which introduced the SOS token aiming to support NFT creators, preserve art, fund developers, and compensate scam victims. OpenDAO distributed 50% of the total SOS supply to OpenSea users to build its community^[3].

Despite the growing community around SOS, its utility remains somewhat unclear, and its anonymous developers hold wallets that could potentially impact the token's value. However, they have stated intentions to implement multisig wallets for better security^[3].

Following SOS, MaskDAO launched the MASK token, generating more controversy. MaskDAO targeted Metamask users, initially presenting itself as a legitimate Metamask project, which later proved false. The controversy negatively affected the token's value, causing a substantial price drop^[3].

GasDAO also emerged, introducing the GAS token to users who burned ETH for gas fees on the Ethereum network. Unlike OpenDAO, GasDAO did not target the NFT community but aimed to unite the broader web3 community. While GasDAO has not faced negative feedback thus far, questions arise about the sustainability of DAOs without tangible products or services and whether they can truly fulfill their promises to the community^[3].

Impacts On Mask DAO

^{[8][10][11][12][13][14]}

An unrelated project Mask DAO used $MASK as their ticker symbol, and was falsely accused of being a honeypot^[15].

Lets get this clear, WE ARE NOT IN ANY WAY AFFILIATED WITH THE SCAM, RUGS, OR HONEYPOT TOKENS We are MASK DAO

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

Individuals need to exercise caution with the smart contracts they choose to interact with. While it is possible to detect many honeypot smart contracts easily, these tools are not perfect, and there are other threats which can only be uncovered through a third party security audit.

Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Wallets and exchanges can help educate users on the risks of interacting with unaudited smart contracts, and provide easier ways to detect common scams or untrusted projects. An industry insurance fund can assist users who are affected by honey pot smart contracts.

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

Regulators can help educate their citizens on the risks of interacting with unaudited smart contracts. They can also ensure that all smart contracts registered officially obtain a smart contract audit. An industry insurance fund can assist users who are affected by honey pot smart contracts.

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References