Close Menu
    Ethereum

    Found a live honeypot on Ethereum with XOR-obfuscated backdoor — 4 security scanners missed it


    🚨 I found a live honeypot on Ethereum that 4 security scanners missed.

    RAY token (0x9AF762965d8f4f3Ad65C2521b0A090f95bc75121)

    SolidityScan: 95.43/100 "GREAT"

    GoPlus: "No security risks found"

    It has a hidden kill switch. Thread 👇

    1/ The emitTransfer() function looks harmless —

    even has copied OpenZeppelin documentation.

    But it contains inline assembly that XOR-constructs

    a hidden address at runtime and calls it on EVERY transfer.

    2/ The XOR decode:

    0xb6390803 ^ 0xd73218d0 = 610b10d3

    0xb02df78d ^ 0xd73218d0 = 671fef5d

    0x7a5a30ea ^ 0xd73218d0 = ad68283a

    0xdff38596 ^ 0xd73218d0 = 08c19d46

    0xba97a7fb ^ 0xd73218d0 = 6da5bf2b

    Hidden controller: 0x610b10d3671fef5dad68283a08c19d466da5bf2b

    3/ Every transfer calls 0x478d3305(from) on this

    hidden contract. If it reverts → transfer reverts →

    you can't sell. Classic honeypot.

    The controller is UNVERIFIED, deployed 42 days before

    RAY, and has 129+ transactions from multiple addresses.

    Reusable honeypot infrastructure.

    4/ I built a research algorithm that detects this

    from bytecode alone. Zero training, no rules, no

    pattern matching. It flagged RAY as anomalous while

    4 commercial scanners gave it a clean bill of health.

    Full writeup + evidence: https://github.com/aditya01933/zero-day-disclosures/blob/main/disclosures/2026-03-16-ray-token-honeypot.md

    Found a live honeypot on Ethereum with XOR-obfuscated backdoor — 4 security scanners missed it
    byu/techoalien_com inethtrader



    Posted by techoalien_com

    Leave A Reply
    Share via