cryptoshield 0.2.0__py3-none-any.whl

cryptoshield/phishing.py

@@ -0,0 +1,454 @@
+"""Phishing URL checker — detect crypto scam websites.
+
+Checks against known scam databases and analyzes URL patterns.
+"""
+
+import re
+from urllib.parse import urlparse
+from .utils import fetch_json, print_header, print_ok, print_warn, print_fail, print_info
+
+# Known legitimate domains
+LEGIT_DOMAINS = {
+    "uniswap.org", "app.uniswap.org",
+    "aave.com", "app.aave.com",
+    "opensea.io",
+    "blur.io",
+    "pancakeswap.finance", "pancakeswap.io",
+    "sushi.com",
+    "compound.finance",
+    "makerdao.com",
+    "lido.fi",
+    "curve.fi",
+    "1inch.io",
+    "metamask.io",
+    "phantom.app",
+    "solflare.com",
+    "walletconnect.com",
+    "rainbow.me",
+    "argent.xyz",
+    "rabby.io",
+    "paraswap.io",
+    "dydx.exchange",
+    "gmx.io",
+    "arbitrum.io",
+    "optimism.io",
+    "base.org",
+    "zksync.io",
+    "starknet.io",
+    "layerzero.network",
+    "wormhole.com",
+    "jito.network",
+    "marinade.finance",
+    "jup.ag",
+    "raydium.io",
+    "orca.so",
+    "magic-eden.io",
+    "tensorhq.xyz",
+    "pump.fun",
+    "dextools.io",
+    "dexscreener.com",
+    "etherscan.io",
+    "bscscan.com",
+    "polygonscan.com",
+    "arbiscan.io",
+    "basescan.org",
+    "solscan.io",
+    "coingecko.com",
+    "coinmarketcap.com",
+    "binance.com",
+    "coinbase.com",
+    "kraken.com",
+    "okx.com",
+    "bybit.com",
+    "kucoin.com",
+    "gate.io",
+    "huobi.com",
+    "poloniex.com",
+    "bitfinex.com",
+    "gemini.com",
+    "bitstamp.net",
+    "crypto.com",
+    "eigenlayer.xyz",
+    "stargate.finance",
+    "jumper.exchange",
+    "orbiter.finance",
+    "rhino.fi",
+    "synapseprotocol.com",
+    "multichain.org",
+    "celer.network",
+    "debridge.finance",
+    "li.fi",
+    "socket.tech",
+    "bungee.exchange",
+    "chainlist.org",
+    "revoke.cash",
+    "debank.com",
+    "zapper.fi",
+    "zerion.io",
+    "matcha.xyz",
+    "slingshot.finance",
+    "kwenta.io",
+    "velodrome.finance",
+    "aerodrome.finance",
+    "camelot.exchange",
+    "traderjoexyz.com",
+    "spookyswap.finance",
+    "spiritswap.finance",
+    "beets.fi",
+    "balancer.fi",
+    "frax.finance",
+    "convexfinance.com",
+    "yearn.finance",
+    "synthetix.io",
+    "perp.com",
+    "gains.trade",
+    "mux.network",
+    "aevo.xyz",
+    "premia.finance",
+    "lyra.finance",
+    "hegic.co",
+    "ribbon.finance",
+    "opyn.co",
+    "squeeth.com",
+    "aztec.network",
+    "scroll.io",
+    "linea.build",
+    "mantle.xyz",
+    "manta.network",
+    "connext.network",
+    "across.to",
+    "hop.exchange",
+    "satellite.axelar.network",
+    "squidrouter.com",
+    "chainge.finance",
+}
+
+# Suspicious keywords in URLs
+SCAM_PATTERNS = [
+    r"airdrop",
+    r"claim",
+    r"free",
+    r"bonus",
+    r"reward",
+    r"gift",
+    r"presale",
+    r"pre-sale",
+    r"whitelist",
+    r"mint-free",
+    r"connect-wallet",
+    r"verify",
+    r"restore",
+    r"sync",
+    r"validate",
+    r"update.*wallet",
+    r"security.*alert",
+    r"suspended",
+    r"limited.*time",
+    r"act.*now",
+    r"urgent",
+    r"migration",
+    r"migrate",
+    r"unlock",
+    r"activate",
+    r"confirm.*seed",
+    r"seed.*phrase",
+    r"private.*key",
+    r"recovery",
+    r"support.*chat",
+    r"live.*chat",
+    r"help.*desk",
+    r"fix.*wallet",
+    r"repair",
+    r"rectify",
+    r"resolve.*issue",
+    r"pending.*transaction",
+    r"failed.*transaction",
+    r"stuck.*funds",
+    r"frozen.*account",
+    r"kyc.*verify",
+    r"identity.*verify",
+    r"document.*upload",
+    r"passport",
+    r"driver.*license",
+    r"social.*security",
+    r"tax.*refund",
+    r"gas.*fee.*refund",
+    r"rebate",
+    r"cashback",
+    r"double.*your",
+    r"multiply",
+    r"investment.*opportunity",
+    r"guaranteed.*profit",
+    r"risk.*free",
+    r"passive.*income",
+    r"financial.*freedom",
+    r"early.*access",
+    r"beta.*test",
+    r"exclusive.*offer",
+    r"limited.*supply",
+    r"last.*chance",
+    r"final.*notice",
+    r"action.*required",
+    r"immediate.*attention",
+]
+
+# TLDs commonly used by scammers
+SUSPICIOUS_TLDS = [
+    ".xyz", ".top", ".club", ".buzz", ".click", ".link",
+    ".site", ".online", ".icu", ".work", ".fit", ".monster",
+    ".cfd", ".sbs", ".surf", ".rest", ".cam", ".hair",
+    ".mom", ".lol", ".bond", ".cyou", ".uno", ".sarl",
+    ".mov", ".zip", ".py", ".sh", ".tk", ".ml", ".ga", ".cf", ".gq",
+]
+
+# Known scam domains (community-reported)
+KNOWN_SCAM_DOMAINS = {
+    "uniswap-airdrop.com",
+    "metamask-airdrop.com",
+    "metamask-sync.com",
+    "metamask-restore.com",
+    "metamask-verify.com",
+    "metamask-update.com",
+    "phantom-airdrop.com",
+    "phantom-sync.com",
+    "phantom-restore.com",
+    "arbitrum-airdrop.com",
+    "arbitrum-claim.com",
+    "optimism-airdrop.com",
+    "starknet-airdrop.com",
+    "zksync-airdrop.com",
+    "layerzero-airdrop.com",
+    "eigenlayer-airdrop.com",
+    "jito-airdrop.com",
+    "jupiter-airdrop.com",
+    "blur-airdrop.com",
+    "pudgypenguins-airdrop.com",
+    "apecoin-claim.com",
+    "uniswapv3.com",
+    "app-uniswap.org",
+    "uniswap-app.org",
+    "metamask-download.com",
+    "metamask-extension.com",
+    "metamask-io.com",
+    "metamask-wallet.com",
+    "pancakeswap-finance.com",
+    "aave-protocol.com",
+    "opensea-io.com",
+    "opensea-nft.com",
+    "coinbase-airdrop.com",
+    "binance-airdrop.com",
+    "crypto-com-airdrop.com",
+}
+
+
+def check_url(url: str) -> dict:
+    """Analyze a URL for phishing indicators."""
+    # Normalize URL
+    if not url.startswith("http"):
+        url = "https://" + url
+
+    parsed = urlparse(url)
+    domain = parsed.netloc.lower()
+    if domain.startswith("www."):
+        domain = domain[4:]
+
+    report = {
+        "url": url,
+        "domain": domain,
+        "path": parsed.path,
+        "is_legit": False,
+        "is_suspicious": False,
+        "is_known_scam": False,
+        "indicators": [],
+        "risk_score": 0,
+    }
+
+    # 0. Check known scam domains FIRST
+    base_domain = _get_base_domain(domain)
+    if domain in KNOWN_SCAM_DOMAINS or base_domain in KNOWN_SCAM_DOMAINS:
+        report["is_known_scam"] = True
+        report["is_suspicious"] = True
+        report["indicators"].append({
+            "type": "FAIL",
+            "detail": f"KNOWN SCAM DOMAIN — {domain} is in scam database"
+        })
+        report["risk_score"] = 90
+        return report
+
+    # 1. Check if it's a known legitimate domain
+    if base_domain in LEGIT_DOMAINS or domain in LEGIT_DOMAINS:
+        report["is_legit"] = True
+        report["indicators"].append({"type": "OK", "detail": f"Known legitimate domain: {base_domain}"})
+        report["risk_score"] = 0
+        return report
+
+    report["indicators"].append({"type": "INFO", "detail": f"Unknown domain: {domain}"})
+    report["risk_score"] += 10
+
+    # 2. Check for typosquatting (similar to legit domains)
+    for legit in LEGIT_DOMAINS:
+        similarity = _domain_similarity(domain, legit)
+        if similarity > 0.7 and similarity < 1.0:
+            report["is_suspicious"] = True
+            report["indicators"].append({
+                "type": "FAIL",
+                "detail": f"Possible typosquat of {legit} (similarity: {similarity:.0%})"
+            })
+            report["risk_score"] += 30
+
+    # 3. Check for scam patterns in URL
+    full_url = url.lower()
+    matched_patterns = []
+    for pattern in SCAM_PATTERNS:
+        if re.search(pattern, full_url):
+            matched_patterns.append(pattern)
+
+    if matched_patterns:
+        report["is_suspicious"] = True
+        if len(matched_patterns) == 1:
+            report["indicators"].append({
+                "type": "WARN",
+                "detail": f"Suspicious pattern: '{matched_patterns[0]}' in URL"
+            })
+            report["risk_score"] += 10
+        else:
+            report["indicators"].append({
+                "type": "FAIL",
+                "detail": f"Multiple suspicious patterns ({len(matched_patterns)}): {', '.join(matched_patterns[:3])}"
+            })
+            report["risk_score"] += 15 * len(matched_patterns)
+
+    # 4. Check TLD
+    tld = "." + domain.split(".")[-1]
+    if tld in SUSPICIOUS_TLDS:
+        report["indicators"].append({
+            "type": "WARN",
+            "detail": f"Suspicious TLD: {tld}"
+        })
+        report["risk_score"] += 5
+
+    # 5. Check for IP address instead of domain
+    if re.match(r"^\d+\.\d+\.\d+\.\d+", domain):
+        report["is_suspicious"] = True
+        report["indicators"].append({
+            "type": "FAIL",
+            "detail": "IP address used instead of domain name"
+        })
+        report["risk_score"] += 25
+
+    # 6. Check for excessive subdomains
+    subdomain_count = domain.count(".") - 1
+    if subdomain_count > 2:
+        report["is_suspicious"] = True
+        report["indicators"].append({
+            "type": "WARN",
+            "detail": f"Excessive subdomains ({subdomain_count})"
+        })
+        report["risk_score"] += 10
+
+    # 7. Check for punycode (IDN homograph attack)
+    if "xn--" in domain:
+        report["is_suspicious"] = True
+        report["indicators"].append({
+            "type": "FAIL",
+            "detail": "Punycode domain — possible IDN homograph attack"
+        })
+        report["risk_score"] += 20
+
+    # 8. Check domain length
+    if len(domain) > 30:
+        report["indicators"].append({
+            "type": "WARN",
+            "detail": f"Very long domain name ({len(domain)} chars)"
+        })
+        report["risk_score"] += 5
+
+    # 9. Check for hyphens (common in phishing)
+    if domain.count("-") > 2:
+        report["indicators"].append({
+            "type": "WARN",
+            "detail": f"Multiple hyphens in domain ({domain.count('-')} hyphens)"
+        })
+        report["risk_score"] += 5
+
+    # 10. Check for brand names in non-brand domains
+    brand_domains = ["uniswap", "metamask", "phantom", "aave", "opensea", "blur",
+                     "pancakeswap", "sushi", "compound", "lido", "curve", "binance",
+                     "coinbase", "kraken", "okx", "bybit", "arbitrum", "optimism",
+                     "zksync", "starknet", "eigenlayer", "jito", "jupiter", "raydium"]
+    for brand in brand_domains:
+        if brand in domain and base_domain not in LEGIT_DOMAINS:
+            report["is_suspicious"] = True
+            report["indicators"].append({
+                "type": "FAIL",
+                "detail": f"Brand name '{brand}' in non-official domain"
+            })
+            report["risk_score"] += 25
+            break
+
+    # Cap score
+    report["risk_score"] = min(report["risk_score"], 100)
+
+    if report["risk_score"] >= 40:
+        report["is_suspicious"] = True
+
+    return report
+
+
+def print_phishing_report(report: dict):
+    """Pretty-print URL check results."""
+    print_header(f"PHISHING CHECK — {report['domain']}")
+
+    if report.get("is_known_scam"):
+        print_fail("🚨 KNOWN SCAM DOMAIN — DO NOT VISIT")
+        for ind in report["indicators"]:
+            print_fail(ind["detail"])
+        return
+
+    if report["is_legit"]:
+        print_ok("Known legitimate domain")
+        return
+
+    for ind in report["indicators"]:
+        if ind["type"] == "OK":
+            print_ok(ind["detail"])
+        elif ind["type"] == "WARN":
+            print_warn(ind["detail"])
+        elif ind["type"] == "FAIL":
+            print_fail(ind["detail"])
+        else:
+            print_info(ind["detail"])
+
+    print()
+    score = report["risk_score"]
+    if score <= 20:
+        print_ok(f"Risk Score: {score}/100 — Likely safe")
+    elif score <= 50:
+        print_warn(f"Risk Score: {score}/100 — Suspicious — verify carefully")
+    else:
+        print_fail(f"Risk Score: {score}/100 — HIGH RISK — likely phishing")
+
+
+def _get_base_domain(domain: str) -> str:
+    """Extract base domain (e.g., app.uniswap.org → uniswap.org)."""
+    parts = domain.split(".")
+    if len(parts) >= 2:
+        return ".".join(parts[-2:])
+    return domain
+
+
+def _domain_similarity(a: str, b: str) -> float:
+    """Simple character-level similarity between two domains."""
+    a_base = _get_base_domain(a)
+    b_base = _get_base_domain(b)
+
+    if a_base == b_base:
+        return 1.0
+
+    # Levenshtein-like ratio
+    longer = max(len(a_base), len(b_base))
+    if longer == 0:
+        return 1.0
+
+    matches = sum(1 for x, y in zip(a_base, b_base) if x == y)
+    return matches / longer

cryptoshield/rugpull.py

@@ -0,0 +1,141 @@
+"""Rugpull risk scorer — analyze contracts for common rug patterns.
+
+Combines on-chain data + heuristics to calculate a risk score.
+"""
+
+from web3 import Web3
+from .utils import (
+    get_web3, checksum, ERC20_ABI, label_address,
+    print_header, print_ok, print_warn, print_fail, print_info,
+)
+from .honeypot import check_honeypot
+
+
+def analyze_rugpull(address: str, chain: str = "eth") -> dict:
+    """Analyze a token contract for rugpull risk."""
+    w3 = get_web3(chain)
+    addr = checksum(address)
+
+    report = {
+        "address": addr,
+        "chain": chain,
+        "checks": [],
+        "score": 0,
+        "risk_level": "UNKNOWN",
+    }
+
+    contract = w3.eth.contract(address=addr, abi=ERC20_ABI)
+
+    # 1. Check if contract is verified (has code)
+    code = w3.eth.get_code(addr)
+    if code == b"" or code == b"0x":
+        report["checks"].append({"name": "Contract Code", "status": "FAIL", "detail": "No contract code — not a contract"})
+        report["score"] += 50
+    else:
+        report["checks"].append({"name": "Contract Code", "status": "OK", "detail": f"{len(code)} bytes deployed"})
+
+    # 2. Check if owner is renounced
+    try:
+        owner = contract.functions.owner().call()
+        zero = "0x0000000000000000000000000000000000000000"
+        dead = "0x000000000000000000000000000000000000dEaD"
+        if owner.lower() in (zero, dead):
+            report["checks"].append({"name": "Ownership", "status": "OK", "detail": "Owner renounced"})
+        else:
+            report["checks"].append({"name": "Ownership", "status": "WARN", "detail": f"Owner: {label_address(owner)}"})
+            report["score"] += 10
+    except Exception:
+        report["checks"].append({"name": "Ownership", "status": "INFO", "detail": "No owner function (could be good or bad)"})
+
+    # 3. Check total supply concentration
+    try:
+        total_supply = contract.functions.totalSupply().call()
+        if total_supply > 0:
+            report["checks"].append({"name": "Total Supply", "status": "INFO", "detail": f"{total_supply:,}"})
+        else:
+            report["checks"].append({"name": "Total Supply", "status": "FAIL", "detail": "Zero supply"})
+            report["score"] += 20
+    except Exception:
+        report["checks"].append({"name": "Total Supply", "status": "FAIL", "detail": "Cannot read supply"})
+
+    # 4. Check liquidity (look for LP tokens)
+    # This is a simplified check — real check would scan DEX pairs
+    report["checks"].append({"name": "Liquidity", "status": "INFO", "detail": "Check manually on DEX Screener"})
+
+    # 5. Get GoPlus data for additional checks
+    goplus = check_honeypot(addr, chain)
+    if "error" not in goplus:
+        if goplus.get("is_honeypot"):
+            report["score"] += 40
+            report["checks"].append({"name": "Honeypot", "status": "FAIL", "detail": "Token is a honeypot"})
+        else:
+            report["checks"].append({"name": "Honeypot", "status": "OK", "detail": "Not a honeypot"})
+
+        if not goplus.get("is_open_source"):
+            report["score"] += 15
+            report["checks"].append({"name": "Source Code", "status": "FAIL", "detail": "Not verified"})
+        else:
+            report["checks"].append({"name": "Source Code", "status": "OK", "detail": "Verified on explorer"})
+
+        if goplus.get("is_proxy"):
+            report["score"] += 5
+            report["checks"].append({"name": "Proxy", "status": "WARN", "detail": "Proxy contract — logic can change"})
+
+        if goplus.get("selfdestruct"):
+            report["score"] += 15
+            report["checks"].append({"name": "Self-Destruct", "status": "FAIL", "detail": "Has selfdestruct function"})
+
+        if goplus.get("hidden_owner"):
+            report["score"] += 10
+            report["checks"].append({"name": "Hidden Owner", "status": "FAIL", "detail": "Hidden owner detected"})
+
+        if goplus.get("owner_can_mint"):
+            report["score"] += 10
+            report["checks"].append({"name": "Mintable", "status": "WARN", "detail": "Owner can mint new tokens"})
+
+        holder_count = goplus.get("holder_count", 0)
+        if holder_count:
+            report["checks"].append({"name": "Holders", "status": "INFO", "detail": f"{holder_count:,} holders"})
+
+    # Cap score at 100
+    report["score"] = min(report["score"], 100)
+
+    # Risk level
+    if report["score"] <= 20:
+        report["risk_level"] = "LOW"
+    elif report["score"] <= 50:
+        report["risk_level"] = "MEDIUM"
+    elif report["score"] <= 75:
+        report["risk_level"] = "HIGH"
+    else:
+        report["risk_level"] = "CRITICAL"
+
+    return report
+
+
+def print_rugpull_report(report: dict):
+    """Pretty-print rugpull analysis."""
+    print_header(f"RUGPULL SCORE — {report['address'][:6]}...{report['address'][-4:]}")
+
+    for check in report["checks"]:
+        status = check["status"]
+        name = check["name"]
+        detail = check["detail"]
+        if status == "OK":
+            print_ok(f"{name}: {detail}")
+        elif status == "WARN":
+            print_warn(f"{name}: {detail}")
+        elif status == "FAIL":
+            print_fail(f"{name}: {detail}")
+        else:
+            print_info(f"{name}: {detail}")
+
+    print()
+    score = report["score"]
+    level = report["risk_level"]
+    if level == "LOW":
+        print_ok(f"Risk Score: {score}/100 — {level} RISK")
+    elif level == "MEDIUM":
+        print_warn(f"Risk Score: {score}/100 — {level} RISK")
+    else:
+        print_fail(f"Risk Score: {score}/100 — {level} RISK")