Oyster Protocol is a hybrid IOTA/Ethereum smart contract platform designed to help websites garner revenue. Instead of traditional advertising, users of websites contribute their computing resources, enabling the website owner to garner Oyster Pearls (PRL) by securing and contributing to services offered by Oyster. PRL — which is an ERC-20 token and runs on Ethereum — has been listed on crypto exchange KuCoin since December.
Bruno Block’s Trapdoor
Yesterday William Cordes, CEO of Oyster, announced that some events of extreme intrigue had taken place at the hands of the project’s original designer, Bruno Block. According to Cordes, Block was able to use a function within the Oyster smart contract — a function which he insisted must remain in the live code — to make himself “director” and thus mint new crypto tokens, at least 3 million, which he subsequently moved to KuCoin and sold to the tune of at least $300,000.
“Despite Oyster passing three separate smart contract audits, we were told by Bruno Block, the original founder and chief architect of the project, that the directorship of the token contract had to remain open so that the peg could be adjusted over time. This ultimately turned out to be a trapdoor mechanism in the contract that was eventually exploited. This contract was written by Bruno Block prior to the ICO, at which point Bruno was the only member of the team. We relied on the auditors involved here for assurance that the smart contract was safe. Bruno was the only one who had the ability to transfer directorship within the PRL smart contract. After our initial review, we are inclined to believe that these were solely the actions of Bruno Block and that he did this now to avoid detection from KuCoin KYC procedures (that will be implemented on November 1st). These KYC procedures would have limited withdrawals on Non-KYC’ed accounts to no more than 2 BTC per day and would have prevented this from happening. This was well-orchestrated and well-executed (at a time when he knew a majority of the KC team would be offline). This also caught the entire team outside of Bruno Block by surprise, as the team collectively holds ~5% of the total supply in personal wallets. The team has been working tirelessly on this since day 1, without pay at some points in time. This project has been built on the back of hard work and raw determination and we will not let Bruno’s role as a bad actor in all of this undermine a project that the entire rest of the team is completely devoted to.”
According to the investigation at Oyster, the attack culminated in crypto tokens being created and issued to Ethereum address 0x0001Ee57Bb28415742248d946D35C7f87cfd5A54. The coins were subsequently sent to the exchange and sales and withdrawals were made before the exchange and Oyster’s team could put a stop to it. As you can see from the image below, all of the transactions were made within a period of about 6 hours.
The bitcoin address associated with the withdrawals from KuCoin has received much more than $300,000 in BTC. Over the course of 22 deposits, the address garnered more than 70 BTC (over $400,000), all on the same day. It is unclear where the coins went from there, but it’s safe to presume that the exit scammer has made attempts to realize his gains in a more transmittable way — say paper cash.
The post on the subject makes clear that investor tokens are “safe,” but it, unfortunately, doesn’t account for the fact that the overall value of the tokens has been diluted by the arbitrary creation of millions of new tokens for the single purpose of fraudulent enrichment. Oyster also promises to try and make the traders on KuCoin — people who unknowingly bought fraudulent coins — whole.
“In the interim, our team will be working around the clock to remedy this situation. We don’t know why Bruno did what he did or what his intentions were at the end of the day, outside of profiting from a loophole that he intentionally left in the smart contract. While I still take full responsibility for this all transpiring, I had no reason to believe Bruno would do something like this to harm the project and much of the work that he had a significant role in creating. We will not let his selfish actions today damage the long-term viability of the project.”
No word has surfaced from Bruno Block. Certainly a heist worth overall less than $1 million is not enough to disappear forever, and more importantly, he will certainly have the authorities on his trail before long. Interestingly, the post from William Cordes makes no mention of having contacted the authorities, but the crypto exchange KuCoin will be forced to do so.
Featured Image from Shutterstock