Spam tokens. They’re horrible, and they’re everywhere¹. They just show up in your wallet. And there’s nothing you can do about it since anyone can send you tokens without your permission.

Sometimes these tokens are designed to get you to visit a website, for example, a token called UniswapLP.com. (⚠️Don’t go there!)

Sometimes they’re designed to confuse you, e.g., a token named “AAVE” which isn’t the AAVE token. Why would someone do that? Usually to steal your real AAVE tokens.

Sometimes these “free” tokens are part of a larger pump-and-dump scheme. They aren’t nefarious to you, they’re just annoying.

In their aim, spam tokens are just like spam emails.

Avoiding Email Spam

Most people rely on centralized providers to process their email. For example, if I use Gmail (owned by Google) to send my mother a message to her Hotmail account (owned by Microsoft), two companies with large R&D budgets get the chance to review my email to decide whether or not it’s spam. If Google decides it’s spam, it won’t even send it on to Microsoft. If Microsoft decides it’s spam, it may reject it or, out of an abundance of caution, put it in my Mom’s spam box instead of her inbox.

This all happens without most of us even thinking about it. Yes, the system inevitably marks some legitimate email as spam, but, on whole, it does a good job of keeping huge amounts of junk out of inbox. In addition, email clients let users mark spam email that made it through the filter.

Avoiding Token Spam

Crypto is peer-to-peer. When someone sends you a spam token, there are no organizations with large R&D budgets processing the transaction. It’s direct. That’s the beauty of crypto.

That’s also the reason we can’t avoid spam tokens. They show up in our wallets, whether we like it or not.

Hiding Spam

When spam email ends up in your spam box, our email provider isn’t eliminating it. Instead, it’s hiding it so that you won’t see it unless you go looking explicitly. This can be frustrating, and often confusing, even for those of us who know exactly how the process works.

Hiding spam tokens can be equally confusing, if not more so.

But before we can talk about hiding spam tokens, we need to take a little detour to make sure we’re all on the same page. We need to understand where we might come across these spam tokens in the first place.

Crypto Wallets

A wallet is a piece of software or hardware that holds public and private keypairs². These are a bit like username (public), password (private) pairs that give you access to something like your bank account. One critical difference is that a public/private key gives you ownership – not just access – to blockchain addresses that “store” your tokens.

A crypto wallet also holds the list of addresses owned by your public/private keys. This is why we decided to call wallets “wallets” even though they aren’t wallets like the one you carry around in your purse. Sometimes analogies help, but In this case, the analogy is confusing! Nonetheless, it’s the term everyone uses, so I’ll stick with it.

If you’ve spent any time in crypto you are no doubt familiar with various types of wallets. We have browser-based wallets like MetaMask. We have mobile wallets like Exodus³. We have hardware wallets like Trezor. And finally we have wallets stored at institutions like Binance and Coinbase, which aren’t wallets at all. Those “wallets” are accounts, just like your bank account.

If you have a wallet you can see its contents, i.e., the tokens stored at one or more addresses managed by the wallet. But it turns out that there are other ways of seeing these tokens.

Transaction Explorers

A wallet lets you explore the tokens (or transactions) associated with an address. But other software does as well. Addresses, after all, are public, as are all transactions associated with those addresses

I lump all of these non-wallets into a category I call “Transaction Explorers”. This class of software is mainly aimed at three categories of people:

1. developers,
2. traders, and
3. accountants.

Developers tend to be happy with relatively crude interfaces that allow them to see as much data as possible. In Ethereum, the most popular explorer is Etherscan. Copy paste an address into its search bar and you can see every single transaction associated with it. Try it with one of Vitalik Buterin’s addresses: 0xab5801a7d398351b8be11c439e05c5b3259aec9b. You’ll be amazed by the volume of spam he has to deal with!

Traders like to know what they have. A popular tool for DeFi degens is Zapper. It does a great job of showing you what you own and how much it’s worth. Again, try it with Vitalik’s address.

And finally we have “serious” tools for accountants. These things are thorough and approach the problem from a completely different perspective. They don’t bother showing you a picture of your latest NFT purchase, but they do things like calculate the rewards you earned on Uniswap. Why? Ask the taxman. Our favorite explorer in this category is Picante⁴.

Hiding Spam (part 2)

Wallets and transaction explorers are the equivalent of your email client: Gmail, Superhuman, Apple Mail, Outlook, etc. We use these email clients to send email to other email clients, but, as I mentioned earlier, that process depends on large corporations with the means (AIs) to deal with spam. In a peer-to-peer world, that isn’t possible.

This means that spam detection and spam processing are the responsibility of each wallet or transaction explorer. Everyone has to roll their own. Let’s look at three different approaches used in the industry:

1. Whitelist
2. Do nothing
3. Do something

Whitelist

This is the approach taken by the MetaMask wallet. Tokens must be approved (“imported”) in order for MetaMask to display them. This is a great strategy for people who understand what’s going on but it’s very confusing to new users.

If, for example, I send you a token that’s never been imported into your MetaMask, you won’t see it. To make matters worse, the approval process is complicated. You need to know the token’s contract address. And who knows where to find that?!

Do Nothing

This is the most common approach. Show users all the tokens at an address. That’s what Zapper does, and no one seems to mind.

Some users deal with this problem by sending spam tokens to addresses setup for this very purpose. Trash Wallet is a good example. The only problem with that is that you spend gas getting rid of your spam!

Do Something

This is where we get into interesting territory. There are currently three approaches being used to identify and manage spam tokens: home-grown application level strategies, user flagging, and centralized repositories of spam token addresses.

Let’s look at all three.

Home-grown Detection

Some wallets and transaction explorers are coming up with their own internally-developed heuristic to generate a whitelist or blacklist of tokens that is then used by their applications.

Exodus publishes an explicit whitelist for example. Whether this list is algorithmically generated, hand-curated, or some combination isn’t relevant. What matters is that many projects are re-inventing this wheel, because blocking or hiding spam is so critical to the user experience.

User Flagging

Another technique is end user flagging.

When a wallet or transaction explorer notices a spam token, she can mark it as spam and the software hides it. This allows her to manage her own universe of tokens. Unfortunately, this puts the burden on a user who may not know enough to determine whether or not a token is spam. As I mentioned, sometimes spam tokens have the exact same name as legitimate tokens. If you have two AAVE tokens in your wallet, which is the real one? Even for a knowledgeable user, this technique only works well as long as the volume of spam is manageable.

An alternative to end user flagging is crowdsourced flagging. Etherescan runs a project to support this: https://info.etherscan.com/etherscan-token-reputation/. Another is algorithmic scoring like https://tokensniffer.com/. Both are a good resources for anyone having to manually mark their spam tokens.

But we can do a lot better.

An API Everyone Can Use

What if we had a collaboratively-developed source of token legitimacy, accessible by either a website like Etherscan’s or API? That the information could be used by developers so that they didn’t have to reinvent the wheel or place the research burden on their users?

It would be fantastic for the entire crypto industry. Unfortunately, it doesn’t exist yet.

Luckily Credmark is working on this problem and plans to put a proposal forward in the coming weeks. We’re hoping to make it the best of all worlds: decentralized, open source, and collaborative. It’s an ambitious goal, but the industry needs it, and we have the infrastructure to support it.

More info coming soon!

Footnote

¹ In 2022 alone, Solidus Labs estimates that over 120,000 scam tokens were deployed: https://www.soliduslabs.com/reports/rug-pull-report.

² Strictly speaking, this isn’t true. Since a blockchain is a ledger it only needs to keep transactions (credits and debits) associated with an address. Your balance is derived from the transactions. Talking about spam tokens as “unwanted transactions” would therefore be more accurate than talking about spam tokens, but a lot more confusing!

³ Exodus, like many wallets, is available on multiple platforms like iOS, Android, and even desktop.

⁴ Full disclosure: Picante is a Credmark customer.

About Credmark

Credmark runs a financial modeling platform powered by reliable on-chain data. We curate and manages DeFi data making it available via API and the Snowflake Marketplace around the globe and across industries.

Our community of quants, developers, and modelers actively build models for the DeFi community by leveraging our data API and tools. Join the growing community and together we will advance the next-generation financial system.