• Fraudsters drained $2.5M in crypto exit scam, according to a report by blockchain security company CertiK.
• The scam was made possible by a backdoor in the ‘Start Trading’ function of two recently created contracts – CirculateBUSD and CirculateWBNB.
• The funds were bridged to Ethereum and deposited into the OFAC-sanctioned coin mixer, Tornado Cash.
In the crypto industry, scams, exploits, and hacks have become increasingly common. Just two weeks into the new year, malicious entities have already started taking advantage of unsuspecting users. According to the latest update by the blockchain security company CertiK, two recently created contracts – CirculateBUSD and CirculateWBNB – have been exploited in what appears to be an exit scam.
In a statement, CertiK said that the creators of the two contracts managed to pull off the scam by draining $2.5 million worth of tokens. The company explained that the incident was made possible due to a backdoor in the ‘Start Trading’ function. Function calls were made to a malicious, unverified contract which enabled the fraudulent transfer of funds to an Ethereum address. The funds were then transferred to the OFAC-sanctioned coin mixer, Tornado Cash.
The CertiK team also added that the malicious actors were able to bypass the existing security measures, such as the blacklist and the whitelist, due to the backdoor they had created. This enabled them to bypass the multi-signature feature, allowing them to execute the scam without any issues.
CertiK further stated that the malicious actors had exploited a vulnerability in the code of the two contracts, which allowed them to call the malicious contract. The team also added that the malicious contract was not audited and was not part of the contracts that were audited.
The CertiK team has since closed the backdoor and secured the contracts. They have also reported the incident to the relevant authorities and are currently investigating the incident.
In conclusion, the CertiK team has warned users to be wary of any suspicious activity and to be extra vigilant when dealing with contracts. They have also urged users to exercise caution and to always audit the code of any contract before engaging with it.