A smart contract that accepts your funds but will not let you withdraw them. The deposit function works. The withdrawal function is broken, restricted, or gated behind a condition only the deployer can meet.
You send crypto in. It stays in. Forever.
The withdrawal function looks normal on the surface. But one of these is hidden inside:
• Owner-only modifier on the withdraw function — only the deployer address can pull funds out
• Fake token approval — the contract approves a transfer that routes to the deployer, not you
• Hidden state variable — a flag set at deploy time that blocks all withdrawals
• Self-destruct trap — contract destroys itself after enough funds arrive, funds go to deployer
• Slippage manipulation — high-slippage sell taxes make it impossible to exit at any price
The technical trap alone is not enough. People have to send funds first. The social layer creates the pressure:
• Claim before it expires. Limited time window.
• Stuck funds waiting to be released. You just need to pay a small fee to unlock.
• Arbitrage opportunity. Others are profiting right now.
• Influencer shilling the contract. Fake volume on-chain to show activity.
The urgency is manufactured. The deadline is fake. The influencer is paid or compromised.
1. Read the contract on Etherscan / BscScan. Find the withdraw function. Look for owner checks.
2. Run it through GoPlus Security API — flags known honeypots automatically.
3. Check if anyone has successfully withdrawn. Look at outgoing transactions from the contract.
4. If only the deployer address has ever withdrawn — that is the signal.
5. Simulate the transaction in Tenderly before sending real funds.
Same architecture as evilginx. Two layers working together:
• Technical layer: the phishlet / the broken withdraw function
• Social layer: the fake login page / the urgency narrative
In both cases the technical layer could not work without the social layer. Nobody types credentials into a URL they distrust. Nobody sends funds to a contract they have read and understood.
The gap between technical reality and social perception is where both attacks live.
SELUTH — the wall always has two faces. The one you can see, and the one you are meant to see.