This is very interesting, thanks! It reminds me of a friend's adventure, he found a contract containing some ETH that could be called with some more ETH and would send the entire sum back to the caller. He analyzed it a bunch of ways to make sure it wasn't a scam, and then sent some ETH to it.
It was a scam.
I wonder how it was done, Etherscan didn't show anything and compiling it led to a few bytes of difference between what was compiled and what was deployed.
There are so many clever ways to code honeypots using obscure peculiarities of Solidity and/or Etherscan that there's little hope of being sure that it isn't a scam just by looking at the code and transaction history.
Fortunately, there are tools like Ganache, which you can run with `ganache-cli --fork` to reliably emulate locally what will happen when transactions are sent to mainnet. I would accept no substitute approach when dealing with suspect contracts.
Interesting, it might use a flaw in the Etherescan contract verification[1]. But in any case, when you expect a honeypot you can and should execute the contract off-chain[2] and examine the resulting state (specifically your account balances) before committing a real transaction. Wallets should really do this by default, but unfortunately there doesn't seem to be a lot of resources available for common goods projects like wallets, so we are stuck with primitive tools.
It was a scam.
I wonder how it was done, Etherscan didn't show anything and compiling it led to a few bytes of difference between what was compiled and what was deployed.