This website provides a set of examples of common malicious dapp scams. This website is meant for integration testing, please do not share it publicly
Do NOT submit any of these transactions on-chain or you may irrevocably lose funds
Safeguard assertion failure
This example shows a Safeguard transaction that failed due to an assertion failure. The simulation will show a revert error. Sending this transaction on-chain would result in a failed transaction with a Safeguard assertion error. This example is for demonstration purposes only. It modifies the Safeguard transaction before sending it for signing to ensure it fails on-chain 100% of the time.
Safeguard success with txn success
This example shows a successful safeguard transaction where the original transaction was also successful.
Safeguard adds extra transaction
This example shows a successful safeguard transaction where the Safeguard instructions didn't fit in the original transaction. Blowfish API includes a "shouldBundle" flag in the response so you use Jito to submit transactions.
Safeguard error due to too many transactions
This example shows an error where safeguard transactions are not generated due to too many transactions being submitted at once.
Set Owner Authority SPL ATA account
In this scam the attacker asks the user to sign over the owner authority to the ATA account(s) of their SPL tokens (in this example USDC). This not only gives the attacker full access to steal all the funds but since the ATA for a specific SPL token cannot be regenerated it will also break the user's ability to ever use that SPL token in some applications ever again. The victims are essentially forced to create a new wallet and transfer all their funds
Bitflip Attack
This is a solana copy of the above "Bitflip Attack" scam.
Modify Authority of Solana Staking Account
In this scam the attacker asks the user to set their account as either the withdraw or stake authority of their Solana staking account. This allows the scammer to withdraw or delegate the user's staked SOL.
Modify Solana account owner program
In this scam the attacker asks the user to change the 'owner' program of their account from the Solana System program to a program written and controlled by the attacker. This effectively gives the scammer control over the user's account.
Request more SPL approval than needed (dangling approval)
In this scam the attacker requests a much larger approval for the user's SPL token(s) than needed for the transaction, so they can come back later an steal all the user's funds. This demo requires the connecting account to have at least 1 USDC
Transaction originating from a blocked domain
This example shows a simple transfer transaction originating from a blocked malicious dapp domain. This example will NOT trigger any warnings in an integrated wallet as the request from the wallet will use the origin examples.blowfish.tools instead of the of the malicious dapp
NFT transfer
This example shows an enriched transfer transaction of 5 tokens from the connected account. It will NOT trigger any warnings
Malicious OpenSea Order
This scam creates a malicious OpenSea order that trades the user's NFTs & ERC20 tokens for nothing by putting the user on both sides of the trade, and sending the receiving tokens to the attacker's address. The endpoint supports both ERC721 & ERC1155 but for this demo example the connecting account needs to own at least 1 ERC721 NFT
Malicious Bulk OpenSea Order
This scam creates a malicious OpenSea order that trades ALL of a user's NFTs across for nothing by putting the user on both sides of the trade, and sending the receiving tokens to the attacker's address. The endpoint supports both ERC721 & ERC1155 but for this demo example the connecting account needs to own at least 1 ERC721 NFT
Imbalanced Dollar Value
This can be a scam, or simply a fat-finger error which results in a trade that gives you back less $-denominated assets than you are sending. For this demo example the connecting account needs to have NFT's worth at least $100
Malicious Blur Order
This scam creates a malicious blur order that sells a single NFT for nothing. The endpoint supports both ERC721 & ERC1155 but for this demo example the connecting account needs to own at least 1 ERC721 NFT
Malicious Blur Bulk Order
This scam creates a malicious blur order that sells all NFT's of a collection for nothing. The endpoint supports both ERC721 & ERC1155 but for this demo example the connecting account needs to own at least 1 ERC721 NFT
Malicious Permit2
This scam creates a malicious Permit2 transaction that allows the attacker to steal the user's ERC20 tokens. The endpoint supports both ERC20 & ERC721 but for this demo example the connecting account needs to own at least 1 ERC20 token
eth_sign
This scam asks the user to sign an entirely unreadable message which can be a valid Ethereum transaction, which the attacker then submits on chain.
Malicious NFT SetApprovalForAll/Approval to EOA
This scam asks the user to SetApprovalForAll to the attacker's address on the user's most valuable NFT collection. The attacker can then steal freely steal all the user's NFTs from that collection. Note that this transaction also warns with ApprovalToEoa, meaning the approval is to a non-smart-contract account.
Send ERC20 tokens to the token contract
This is an easy to make mistake where the user transfers their ERC20 (in this example case WETH) tokens directly to the ERC20 token contract itself. Essentially burning those tokens. This examples requires the connecting account to have at least 0.01 WETH
Malicious Account flagged by OFAC
This transaction interacts with an address that is on the OFAC sanctions list. The recipient address in question has been identified in past suspicious activities or malicious operations, indicating a high risk of fraud or scam.
Malicious Contract flagged by Blowfish
This transaction interacts with contract that is on Blowfish malicious list. The recipient address in question has been identified in past suspicious activities or malicious operations, indicating a high risk of fraud or scam.
0x Exchange RFC/Limit Order
These usually are not scams, but can result in lost funds. This particular example is a limit order which has a fat-finger price, triggering our imbalanced $-value checker. Requires non-zero balance of WETH.
1inch Limit Order
These are also not usually scams, but the recipient address can be changed to a malicious address, as in this particular example, which triggers our "trade for nothing" checker. Requires non-zero balance of WETH.
Malicious ERC20 Meta Transaction Message
This scam asks the user to sign a message that is actually a meta transaction which is potentially malicious, and can be executed on chain by the attacker. Requires non-zero balance of Polygon WETH.
Malicious Polygon OpenSea Order
This is a polygon copy of the above "Malicious OpenSea Order" scam. Requires Polygon NFTs.
Malicious Polygon Bulk OpenSea Order
This is a polygon copy of the above "Malicious Bulk OpenSea Order" scam. Requires Polygon NFTs.
Malicious Polygon Imbalanced Dollar Value
This is a polygon copy of the above "Imbalanced Dollar Value" scam. Requires minimum $100 worth of Polygon WETH.
Malicious Polygon Permit2
This is a polygon copy of the above "Malicious Permit2" scam.
Polygon eth_sign
This is a polygon copy of the above "eth_sign" message.
Malicious Polygon NFT SetApprovalForAll/Approval to EOA
This is a polygon copy of the above "Malicious NFT SetApprovalForAll/Approval to EOA" scam.
Malicious Polygon Transfer ERC20 to Contract
This is a polygon copy of the above "Malicious Transfer ERC20 to Contract" scam. Requires Polygon WETH.
Malicious Polygon 0x Exchange RFC/Limit Order
This is a polygon copy of the above "0x Exchange RFC/Limit Order" message.
Malicious Polygon 1inch Limit Order
This is a polygon copy of the above "1inch Limit Order" message.