DISCLAIMER: I am not a security expert, this is nowhere near a substitute for a real professional audit, even following all of these steps you are at extreme risk whenever touching one of these pools. Do not put more than you can lose into any ETH smart contract, let alone an unaudited untested one. And obviously, needless to say none of this is financial advice. SHRIMP is just one of these pools that I am using as an example, this is not an audit nor a recommendation to go farm it.
In this guide, I will discuss some steps you can take to protect yourself from falling victim to farming pool scams. Note that this guide is about the safety of your deposits, not about the safety of principal in new tokens or in new token liquidity pools.
The first important thing you need to do is find the contract you will be interacting with. Sometimes this is easier than others. Often the best technique is to find the token you will be farming on etherscan, then look at the top holders. For most farms, the farming contracts will be at or near the top of the list.
For example for Shrimp, we can find the farming pools in the top of the list of holders. If this doesn't work, you may want to look at official documentation or try to interact with the frontend (without sending an actual transaction!) in order to find the desired contract addresses.
Once you find the contract address on etherscan, you want to click on contract then look at the code. What I usually do is use a diff checker to compare with the most similar "tested" contract (e.g. from SNX, YFI, YAM, etc.).
For example if we compare the SHRIMP pool contract to the YAM pool contract, we see only minimal changes to things like variable names, contract addresses, and times.
What is usually ok to see: variable name changes, date/timing/supply changes, token contract address changes. What you don't want to see: upgradable contracts, a lot of new complicated logic, weird changes that you can't understand the purpose of, etc. This is again nowhere near a substitute for a real audit, but it will protect you from the laziest scammers.
Ok, so the contract looks good, so I can just head over to the website and throw in my life savings, right? WRONG!. Regardless of the contract, we must keep in mind that a frontend can change the contracts you are interacting with at any time. An unscrupulous dev could even randomize or specifically target high value accounts connecting to his website to reduce the chances of others calling the alarm.
This frontend attack is obvious, extremely easy to execute, and really only a matter of time before it is done. So it is vital that you protect yourself from it if you are going to chase these high risk farms. You have two options: 1) check the address of each and every transaction being sent from the front end and make sure it matches the contract address you already looked at, 2) do all contract interactions manually from etherscan.
Quick guide to interacting with synthetix style staking contracts via etherscan + metamask. To stake there are two steps, first approving the contract to be able to spend the tokens you are going to stake, and second, staking the tokens.
To approve we need to go to the token (the one we are staking/depositing to the pool, not the one we are farming) contract on etherscan. For example YFI. Then we go to the Contract tab, click on Write Contract, and connect web 3 wallet (like Metamask).
Now we want to send an approval that allows the farming contract to spend our tokens (this will allow us to stake them). Note, never approve unknown contracts as a malicious contract could drain your funds without you even sending a transaction. So find the approve() function and put the farming contract in the spender field, and an amount in the amount field. Important: this amount is in wei, so you will need to use a wei converter such as https://eth-converter.com/ to find the correct amount to put in (or just enter a massive number and be done with it). The below transaction would authorize the shrimp contract to spend up to 1 YFI.
Click write, send the transaction in your wallet and wait for it to confirm. Once it does, we can return to the farming contract to call stake(). Again you will need to use https://eth-converter.com/ to convert the amount you want to stake to wei. The below transaction would stake 1 YFI.
How to exit or claim rewards on etherscan. This is a lot easier. Go to the farming contract on etherscan and call exit() to withdraw and claim rewards or getReward() to claim rewards without withdrawing
