DBA token: scam or not? Story how usual scam checks fail

Investigation

Yesterday one of our telegram users asked if DBA (Digital Bank of Africa) token (0x1006EA3289b833B6720AAA82746990ec77De8c36) is legit.

We’ve never heard about it before.

We started our investigation from base steps that are recommended for everyone:

• check contract code audit (our web app makes it through credible Slither library)
• re-check on tokensniffer and similar scam detectors

Our score was 58 out of 100 and has detected some vulnerabilities in the contract. They were not fatal.

Today about 95% of new BSC tokens are scams — so it’s important to double check yourself. We’ve re-checked using TokenSniffer:

TokenSniffer check

Some issues seemed important:

• The source code contains a Pausable contract which could potentially allow transfers to be halted.
• The owner wallet contains a substantial amount of tokens which could have a large impact on the token price if sold.
• Not enough liquidity is locked/burned which could allow for significant amounts to be removed (rug pull).

btw NOTE: the last liquidity test checks only PancakeSwap v2.

From analysis above it seems that Developers can remove all liquidity at any time they want. Usually this is a clear sure of a SCAM.

Our client was also worried:

Poocoin showed low liquidity pool and huge capitalization.

Poocoin Market Cap / Luquidity Pool

Again, usually this indicates a scam. Nevertheless, sometimes developers are not proficient enough with all these tests or have other reasons to fail them. This is why it’s important to investigate not only contract code, but also website, social networks and other factors.

We’ve continued our analysis.

One of the first good signs was listing on 2 CEX (CEX usually does due diligence and thus listing there is an important sign).

CEX listings from CMC

Then we looked at website and google search results:

1. Scamadviser gave it a very high score: https://www.scamadviser.com/check-website/dafribank.com
2. Company has received a lot of coverage in media
3. Company existed for a long time and was not registered recently

scamadviser

The only problem was that site did not reference contract address directly. So we had our doubts about name spoofing (wiki link).

We’ve made a google search only on the site and found a couple of links to their token:

We’ve also recommended our client to write to this Bank directly. He did it and results were fine:

CONCLUSION

So, what can we learn?

1. while standard checks (contract audit, ownership renounced, holders, liquidity) are effective for meme coins — they may fail for solid companies
2. you always have to investigate if there is a real business behind the token (from website, official social media, google search)
3. look for proof links that connect good company with the token directly: name spoofing is widespread these days
4. don’t be shy to ask managers/developers about their token

LSR continuously works on scoring improvements. And one of important features that we’re trying to do is to customize score according to business area (meme coin, DeFI, IOT, gaming, etc.) and life cycle stage (seed, startup, mature, etc.) of a token.

DBA case clearly shows that different tokens require different factor importance weights.

SAFU, DYOR, stay tuned and have a nice day!