app-monorepo icon indicating copy to clipboard operation
app-monorepo copied to clipboard

Published 20 hours ago verified publisher icon OneKeyHQ

[QUESTION] How onekey calculates tokens security risks based on what?

Open Mustafa-Agha opened this issue 10 months ago • 2 comments

I see that, in the app you calculate tokens security risk based on riskLevel which is :-

enum TokenRiskLevel {
  UNKNOWN = 0,
  VERIFIED = 1,
  WARN,
  DANGER,
}

but how do you determine if it's VERIFIED or WARN or DANGER from api.gopluslabs.io

For example if I called the following for USDT in chain-id = 1

then the response will be the following :-

{
  "code": 1,
  "message": "ok",
  "result": {
    "contract_name": "TetherToken",
    "tag": "USDT",
    "is_contract": 1,
    "creator_address": "0x36928500bc1dcd7af6a2b4008875cc336b927d57",
    "deployed_time": 1511829681,
    "is_open_source": 1,
    "is_proxy": 0,
    "trust_list": 1,
    "doubt_list": 0,
    "malicious_behavior": [
      
    ],
    "contract_scan": {
      "owner": {
        "owner_name": "owner",
        "owner_address": "0xc6cde7c39eb2f0f0095f41570af89efc2c1ea828",
        "owner_type": "contract"
      },
      "privilege_withdraw": 0,
      "withdraw_missing": 0,
      "blacklist": 1,
      "selfdestruct": 0,
      "approval_abuse": 0
    },
    "risky_approval": {
      "risk": null,
      "value": 0
    }
  }
}

And if you use the same api to call QNT with riskLevel = 0

You'll get the response :-

{
  "code": 1,
  "message": "ok",
  "result": {
    "contract_name": "StandardToken",
    "tag": null,
    "is_contract": 1,
    "creator_address": "0xf5e38bbedc78efea055e0c56035adb320e64c4bc",
    "deployed_time": 1523044361,
    "is_open_source": 1,
    "is_proxy": 0,
    "trust_list": 0,
    "doubt_list": 0,
    "malicious_behavior": [
      
    ],
    "contract_scan": {
      "owner": {
        "owner_name": "balances[msg.sender]",
        "owner_type": "multi-address"
      },
      "privilege_withdraw": 0,
      "withdraw_missing": 0,
      "blacklist": 0,
      "selfdestruct": 0,
      "approval_abuse": 0
    },
    "risky_approval": {
      "risk": null,
      "value": 0
    }
  }
}

And if you use the same api to call cUSDC with riskLevel = 2

You'll get the response :-

{
  "code": 1,
  "message": "ok",
  "result": {
    "contract_name": "CErc20",
    "tag": null,
    "is_contract": 1,
    "creator_address": "0xa7ff0d561cd15ed525e31bbe0af3fe34ac2059f6",
    "deployed_time": 1557192331,
    "is_open_source": 1,
    "is_proxy": 0,
    "trust_list": 0,
    "doubt_list": 0,
    "malicious_behavior": [
      
    ],
    "contract_scan": {
      "owner": {
        "owner_name": "address(0)"
      },
      "privilege_withdraw": 0,
      "withdraw_missing": 0,
      "blacklist": 0,
      "selfdestruct": 0,
      "approval_abuse": 0
    },
    "risky_approval": {
      "risk": null,
      "value": 0
    }
  }
}

From the above response how do you determine the risk_level ?

Mustafa-Agha avatar Apr 10 '24 14:04 Mustafa-Agha

Hey, @Mustafa-Agha the api that you show is token_approval_security, but the one we actually use is token_security. We determine the specific risk level of a token based on certain fields in the returned content.

qwang1113 avatar Apr 11 '24 01:04 qwang1113

Based on the response from token_securtiy On which criteria do you use to get the 4 riskLevel?

I think it should be in documentation so that we understand the criteria better and why a token is risky and other is not?

Mustafa-Agha avatar Apr 11 '24 03:04 Mustafa-Agha