Coinfirm documents interesting or high profile frauds and hacks that have recently happened and been reported into our networks to show how the Coinfirm can help track and prevent it in the future. Today we conduct an investigation into the Oyster Pearls and Exit Scams.
This week we cover one of the simplest, yet notorious frauds in the crypto space – exit scams. An exit scam revolves around tricking people into investing in your project and then using your reputation to get a hold of the invested assets. The next step in this space is usually faking a hack and/or government intervention that is supposed to explain the sudden disappearance of funds followed by the vanishing of the company’s and its employee’s sites and profiles. One of the most memorable examples of that in the crypto world would be the infamous Bitconnect Ponzi scheme, which in January, this year, ran away with nearly $2.5 bln in customers’ Bitcoins, leaving their customers with worthless tokens.
On October 29th, one of the founders and project designers of the Oyster Protocol project, a person under the pseudonym “Bruno Block” used a trapdoor function in its smart contract in order to mint new tokens. After that, all of the fresh PRL tokens were transferred to KuCoin, a fairly popular, Singapore-registered cryptocurrency exchange, where they were sold for approximately $300,000.
The smart contract breach was fairly easy to execute, as the attacker was also the same person, who designed it. Despite claims of passing several audits, the code still had a “Director Lock” function set to “false”, which means that one person with director permits is able to easily make changes. This vulnerability (pictured above) was intentionally left in place after Bruno insisted on it being essential. Unfortunately, it made it possible for him to change the line being responsible for token sales (pictured below).
The Oyster Pearl team, having seen what happened, has issued a statement, claiming that they are working on a solution to clone the token contract and issues a rollback. They’ve also provided the addresses used for the attack, which were immediately submitted to us. Unfortunately, the attacker being a pseudonymous party despite working so closely with this project has completely vanished, leaving little to no trail. The losses were approximated at nearly $0.5 million.
Whenever an attack like this occurs, anyone can report it through the AML Platform on https://platform.coinfirm.io. The submitted data is then analyzed and processed by our team. Flagging actions like these help us fight malicious actors in the crypto space, as seen below on the Coinfirm AML Risk Report created for the Oyster Protocol contract breach address:
The Coinfirm Team