KuCoin, a cryptocurrency spot trading platform supporting Bitcoin, Ethereum, NEO, EOS, USDT, KCS, as well as Oyster Pearls (PRL). The exchange found itself in a $300,000 scam concerning the ERC-20 token PRL, due to a backdoor hack.
The Oyster Protocol, a website revenue generating smart contract platform, provides website owners an alternative to the standard practice of advertising. Websites on the Oyster Protocol gain revenue from users who lend out computer processing power, the site owner then receives Oyster Pearls, by utilizing the services of Oyster.
William Cordes, CEO of Oyster and the company’s former CFO, announced via their Medium blog, that the scam used the transferDirector function on the Oyster Protocol token contract. This in turn led to the implication to the original CEO and designer of the Oyster Protocol, the pseudonymous “Bruno Block”. Back in June of this year, Block had stepped down to “focus exclusively on protocol architecture”, allowing Cordes to use his business acumen to elevate the company. This transfer of position had Block insist that the function used in the exploit remain within the live code, so that he could continue to mint new tokens. This in turn led to Block minting 3 million crypto tokens which he transferred and sold through KuCoin at the value of around $300,000.
Cordes wrote in the blog about the hardship it took the team to make it to this point, just to have a “bad actor” bring it all down. He detailed the digital heist and how block orchestrated the maneuver:
“Despite Oyster passing three separate smart contract audits, we were told by Bruno Block, the original founder and chief architect of the project, that the directorship of the token contract had to remain open so that the peg could be adjusted over time. This ultimately turned out to be a trapdoor mechanism in the contract that was eventually exploited. This contract was written by Bruno Block prior to the ICO, at which point Bruno was the only member of the team. We relied on the auditors involved here for assurance that the smart contract was safe. Bruno was the only one who had the ability to transfer directorship within the PRL smart contract. After our initial review, we are inclined to believe that these were solely the actions of Bruno Block and that he did this now to avoid detection from KuCoin KYC procedures (that will be implemented on November 1st). These KYC procedures would have limited withdrawals on Non-KYC’ed accounts to no more than 2 BTC per day and would have prevented this from happening. This was well-orchestrated and well-executed (at a time when he knew a majority of the KC team would be offline). This also caught the entire team outside of Bruno Block by surprise, as the team collectively holds ~5% of the total supply in personal wallets. The team has been working tirelessly on this since day 1, without pay at some points in time. This project has been built on the back of hard work and raw determination and we will not let Bruno’s role as a bad actor in all of this undermine a project that the entire rest of the team is completely devoted to.”
The criminal issued his new and illicit tokens to an Ethereum address 0x0001Ee57Bb28415742248d946D35C7f87cfd5A54, then sent to the KuCoin which were then sold and withdrawn before anyone was made aware. The sale netted the hacker around $300,000, but the addressed tied to the crime showed that it had received more than 70 BTC (around $400,000) within 24-hours. It can only be speculated as to the final destination and beneficiary, however it is most likely that the gains were converted to fiat money.
While client funds are technically safe, they however will feel the blow back of the market being saturated with the newly minted coins, diluting them substantially. Word of Bruno Block’s whereabouts have yet to be determined.