Author

Topic: OYSTER PEARL (PRL) smart contract BREACHED - markets paused (Read 227 times)

legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
This is even worse than the other scams. Bitconeect for example, was a scam you could foresee for economic and marketing reasons. But this project you would only have to know about this backdoor if you were a programmer and had read all the source code. This demonstrates how difficult it is to analyze a project even with open source.

We are very dependent on the curiosity of other people. I have never read a source code from start to finish and would have difficulty understanding something like what was done with Oyster.

Perhaps it would be very interesting to have a group of hackers whose sole purpose was to exploit flaws in those projects. Could even have a bounty paid in BTC. Certainly, those who believe exclusively in the BTC could finance something like that just for fun.

The backdoor was there for a reason. According to the PRL team the "directorship of the token contract had to remain open so that the peg could be adjusted over time".
https://medium.com/oysterprotocol/oyster-update-b813390ce10e

A large portion of the tokens (5%) were held by the PRL team themselves. So the even the people that knew were not concerned.

Whenever there is a bad actor - especially if it is the founder or one of the core developers it is massively damaging to the project.

In general terms most crypto expose themselves to huge risks.

A lot of coins are copypaste from other coins.

A lot of the copypaste coins fail to update their codebase

Changes made to the code are usually done at breakneck speed and not adequately tested.

A large portion of the smart contracts are potentially vulnerable.

Forks and coinswaps by consensus can be used to potentially offset some of those issues. But forks and coinswaps cause new issues.

The BTC and Ether has already been withdrawn from Kucoin. The code worked as designed so by rolling back the transactions - KuCoin will sustain the loss rather than the bad actor. This means that the currency is not immutable and not able to be trusted. Rolling back transactions means coins that were received in the KuCoin exchange wallet and verified as valid by the coin network are being invalidated and effectively "removed" from their wallet.

It is symilar to some of the recent 51% attacks suffered by some of the insecure low hashrate POW coins. The coins are confirmed "as designed" by the coin network nodes. The valid transactions are then invalidated by the method of the attack and the chain is replaced with the attackers version. The code worked as designed but it was exploited because there were inadequate protections by the coin network.

Quote
but will most likely be executing a contract swap on the block just prior to this all happening (e.g. All 98.5 million PRL prior to the contract vulnerability will be exchanged on a 1:1 ratio to PEARL (or something to that effect)). We will also be evaluating how we can help those that were taken advantage of from this incident.


It would be unfair to make Kucoin sustain the loss because they were sent coins that were validated by the coin network. The developers not involved in this exploit are currently in a difficult situation. The best way forward is to do a 1:1 coin swap so there is a safe contract in place.

The 1.5% of the coins exploited by the minting of the new coins has effectively cost in excess of 65% of the coin value. The damage done is far greater than the profits gained.

Quote
PRL now trades around $0.03, after diving from levels of $0.22. PRL was appreciating and even having a short-term rally when the news of smart contract abuse and exchange dumping caused irreparable damage. It turned out the Oyster Protocol founder and developer, going by the moniker “Bruno Block”, had disagreements with the project’s CEO, Bill Cordes.
https://cryptovest.com/news/developer-and-founder-tanks-oyster-protocol-prl-price-by-deliberate-dumping/

Bruno posted a message here:

Quote
Bruno's message
Focus everyone:

When Oyster boomed in December I wanted to go on a huge hiring spree. I was always very product focused but people only wanted to hear about marketing. Chris Bamber approached me along with Bill. Bill turned out to be an honest and hardworking guy (as CFO), but Chris did next to nothing. I paid each member of c-suite 1 million PRL each which was evaluated at half a million dollars each.

Chris bailed on us for the exponential hiring. Why was I so pushy about hiring? Because I knew Bitcoin and all of crypto was in a bubble. I sold a lot of my own PRL and PRL for the treasury but Bill preached hesitation instead.

Then ETH went from $1200 to $200. It became difficult to keep hiring people, my plan for a large robust team of developers was blocked. I spent downtime to start healing from trauma I was going through.

Then Bill told the group that we got accepted on Binance. That’s when the problems started. The price immediately started pumping from 4c to 26c. I warned Bill against insider trading, he didn’t care. So instead of him and his VC friends dumping on you, I dumped on him.

I advise all of you to get out of crypto. Go educate yourselves about what is happening with Tether. The entire crypto sphere is a giant Ponzi scheme. I warned all of you, multiple times, in private and public, and nobody listens. Ethereum is going back to $5, if you want to sell back to a greater fool then you will only find yourself to be that fool.

https://twitter.com/Bitfinexed/

https://reddit.com/r/buttcoin

What will now happen:

Bill, you’re fired.

I am going to program the protocol on my own, gradually. If someone wants to help me they can do so free of charge. No marketing, no nonsense.

PRL will still be the valid token used by the protocol (no contract swap).

I reject the Binance listing and I don’t want Kucoin to re-activate our listings.

Focus on the storage peg, that is what brings value to the token, not your Ponzi-Shenanigans.

If you want to buy only to sell to a greater fool, then you are that greater fool. PRL and SHL are not to be listed on an exchange until they are actual functioning products. I will also consider revealing my identity over the next few days. I will be posting updates on development after I straighten out this situation.

I am now going to dump as many chat logs as I can to show what happened with Oyster.

UPDATE:

If you want to play greater-fool games with Bill and co, and there is an overwhelming vote in support for Oyster becoming a permaponzi, then I will leave you all to have fun with it.

If you want PRL to operate as I've described in the whitepaper, everyone is fired and I will slowly but surely work on the protocol and post progress publicly. The last time I hired a bunch of people and threw money at them they turned it into a circus.

However, I don't believe there will be electricity running through the power grid soon. I sent this video and others like it a long time ago to this chat:

https://www.youtube.com/watch?v=VOMWzjrRiBg

Go learn about peak oil and the fractional reserve banking system. The stock shale bubble is an obfuscated means to subsidize the price of oil. In Brazil, Indonesia, and other developing nations, the price of oil is subsidized with debt directly by the government. When the debt bubble pops, the price of oil will skyrocket, trucks won't be bringing produce into your city let alone computers won't be spending energy to secure the blockchain.

I believe in Oyster as a product, but I don't believe there will be a future to host it. I will program it since the program is a promise from me, but don't complain that Oyster isn't running when a banana costs $5,000.

Anyone here who has swiped a credit card or taken an interest-bearing loan has the blood of the incoming collapse on their hands. Billions of people will die, there are massive droughts and food shortages as we speak. I've made a lot of dollars by selling PRL, I immediatelly ditched the dollars to buy real things so that I can protect myself and my family from the collapse. That's all I ever wanted, and now that I have that secured, I will deliver the protocol which I promised myself. Give me some time to get my head straight after these dramatic few days, I will gradually post progress on github.

You can also buy popcorn futures on /r/buttcoin
https://www.reddit.com/r/Oyster/comments/9stgqn/brunos_message/
https://archive.fo/DXjlb



I re arranged it a bit:

Quote
I've made a lot of dollars by selling PRL, I immediatelly ditched the dollars to buy real things so that I can protect myself and my family from the collapse. That's all I ever wanted, and now that I have that secured,

Because I knew Bitcoin and all of crypto was in a bubble. I sold a lot of my own PRL and PRL for the treasury.

In other words he sold the token he created knowing he didn’t believe in it at around $3.64 so he could later make more and  dump it on from $0.24 to $0.04.  

Quote
I advise all of you to get out of crypto. Go educate yourselves about what is happening with Tether. The entire crypto sphere is a giant Ponzi scheme. I warned all of you, multiple times, in private and public, and nobody listens. Ethereum is going back to $5, if you want to sell back to a greater fool then you will only find yourself to be that fool.

Then ETH went from $1200 to $200.

I am going to program the protocol on my own, gradually. If someone wants to help me they can do so free of charge. No marketing, no nonsense.

I believe in Oyster as a product, but I don't believe there will be a future to host it.

In other words he sold a “dream” to others that he didn’t believe in himself so he could secure his of financial future at the expense of others he considers fools.


I have a name for that - exit scammer.

This reditor expressed it perfectly:



full member
Activity: 238
Merit: 113
just when I was about to sell my stack this happens, well, guess it happens, such is life
sr. member
Activity: 980
Merit: 294
I read about the incidence in a news and it stated that oyester protocol CEO scam exit.this is very saddened for a ceo to get involved in such mess. I hope this don't affect the holders
From what I've heard Bruno wasn't the original CEO and so this whole thing has been planted since day 1 like this guy know everything that he needed. I guess this is already the end for oyster pearl like obviously even they'll know the real identity of Bruno they can't have the money back.

Anonymity at its finest.
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
I read about the incidence in a news and it stated that oyester protocol CEO scam exit.this is very saddened for a ceo to get involved in such mess. I hope this don't affect the holders

It is unfortunate that the honest investors and others involved in the project will be affected and/or tainted by this.

This is the risk of anonymous developers.   
copper member
Activity: 462
Merit: 10
I read about the incidence in a news and it stated that oyester protocol CEO scam exit.this is very saddened for a ceo to get involved in such mess. I hope this don't affect the holders
hero member
Activity: 672
Merit: 526
This is even worse than the other scams. Bitconeect for example, was a scam you could foresee for economic and marketing reasons. But this project you would only have to know about this backdoor if you were a programmer and had read all the source code. This demonstrates how difficult it is to analyze a project even with open source.

We are very dependent on the curiosity of other people. I have never read a source code from start to finish and would have difficulty understanding something like what was done with Oyster.

Perhaps it would be very interesting to have a group of hackers whose sole purpose was to exploit flaws in those projects. Could even have a bounty paid in BTC. Certainly, those who believe exclusively in the BTC could finance something like that just for fun.
member
Activity: 364
Merit: 10
That's why we need smart contract audited by 3rd independent party and this must be done and published during ICO process. Fraud and scam are still big problem of crypto market, we need to require all project publish their development team and refuse project that has anonymous or outsourcing devs.
hero member
Activity: 2520
Merit: 952
There was an intentional backdoor in smart contract from the start. We got to be cautious with anonymous devs.
full member
Activity: 2044
Merit: 109
It's terrible to hear information like this and things like this that make new investors afraid to invest in the crypto market. Because the project was clearly completed and entered the market but still had the opportunity to manipulate the smart contract. Very scary
hero member
Activity: 1458
Merit: 509
News headlines today:

ALTCOINS Oyster [PRL] exit scam after smart contract manipulated to print 3 million tokens: Price takes 65% hit
https://ambcrypto.com/oyster-prl-exit-scam-after-smart-contract-manipulated-to-print-3-million-tokens-price-takes-65-hit/

Oyster Protocol Founder Exploits Smart Contract ‘Trapdoor’ to Mint and Sell 3 Million+ PRL Tokens
https://www.livebitcoinnews.com/oyster-protocol-founder-exploits-smart-contract-trapdoor-to-mint-and-sell-3-million-prl-tokens/
I can define if this one is a scam project, i thought that that guy was creating a backdoor and this has already planned by him. Your second news looks a bit interesting for me personally.
So, this has been planned by him from the past. PRL team is a scammer.
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
News headlines today:

ALTCOINS Oyster [PRL] exit scam after smart contract manipulated to print 3 million tokens: Price takes 65% hit
https://ambcrypto.com/oyster-prl-exit-scam-after-smart-contract-manipulated-to-print-3-million-tokens-price-takes-65-hit/

Oyster Protocol Founder Exploits Smart Contract ‘Trapdoor’ to Mint and Sell 3 Million+ PRL Tokens
https://www.livebitcoinnews.com/oyster-protocol-founder-exploits-smart-contract-trapdoor-to-mint-and-sell-3-million-prl-tokens/
legendary
Activity: 1288
Merit: 1926
฿ear ride on the rainbow slide
A smart contract breach was discovered which has caused panic on the market. Most exchanges have paused the market.


https://coinmarketcap.com/currencies/oyster/



Oyster Update
"Earlier today, it was discovered that the transferDirector function was utilized on the Oyster Protocol token contract. This allowed the new director to re-open the ICO for PRL and re-issue new tokens (1 ETH = 5000 PRL / .04 per PRL). The individual in question then sent these tokens (upwards of 3M PRL) to KuCoin where the tokens were market sold. They were able to extract ~$300,000 in funds prior to us being able to shut down trading and withdrawals on KuCoin..."
Read more: https://medium.com/oysterprotocol/oyster-update-b813390ce10e.

Quote
Problem with PRL contract
https://etherscan.io/tx/0x4fdf86fb8c15823202e14b89411d6bbf88799b103fb0c3701766bd749fba21c0

There is something terribly wrong with the Oyster token contract. People are sending Ether to the contract at a rate of 1 ETH to 5000 PRL tokens (0.0002 Eth per PRL), which means that they can sell it for higher on Kucoin.

The total supply has also increased.

UPDATE:

https://etherscan.io/tx/0x2321e305c20f45429f11045b9235e9bbd66b17bacede173ca86144ac5533d3bf

Seems like openSale() is called by this address, as director privileges is passed to this account.

UPDATE 2:

transferDirector() is called by the address 0x2da59901939682eab8887edb0fd1ce4299072265: https://etherscan.io/tx/0x1ea00178c70ca6c1cc2d020939831d1393ac5fcf6154495395a074e19e0e70f9

The address 0x2da59901939682eab8887edb0fd1ce4299072265 seems to by an Oyster controlled address originally used to create the PRL token ICO contract. The account got randomly accessed 6 hours ago after months of inactivity. https://etherscan.io/address/0x2da59901939682eab8887edb0fd1ce4299072265

My theory is that the keys to the account got leaked, or someone went rogue. That sort of explains the low volume pump of PRL, someone was just waiting to print and dump.

function withdrawFunds() public onlyDirectorForce {
    director.transfer(this.balance);
}
The hacker will be able to withdraw the ether used to mint tokens and repeat the cycle infinitely, even though he/she has not chose to yet. However, ANYONE can receive 5000 PRL for 1 ETH (but you essentially would be giving the hacker free ether).

UPDATE 3:

function selfLock() public payable onlyDirector {
    // The sale must be closed before the director gets locked out
    require(saleClosed);
    
    // Prevents accidental lockout
    require(msg.value == 10 ether);
    
    // Permanently lock out the director
    directorLock = true;
}
It seems like selfLock() was never called. Which means that the PRL contract was insecure if at any point the director of the contract gets compromised. If an ICO with the ability to mint tokens needs to be able to reopen at any point - I highly recommend in the future to move the ownership of the contract either to a multi-signature wallet, or have a timelock on directorship transfer (reversible) with a huge alarm if the function is ever called unknowingly.

POTENTIAL SOLUTION

This is obviously very bad. Since there is no way to reclaim directorship over the contract, the only way out is to create a new token contract based on a snapshot of the block height before the directorship transfer occurred. This would mean that people who bought PRL after the hack would be shafted, so maybe the latest snapshot should be taken, but this would shaft the people who panic sold the dip.

Since the highest volume was on Kucoin, not sure if Kucoin would reverse any trades from the timestamp of the hack.

In total, the perpetrator printed ~ 4 million PRL, 5% of total supply. Random people also started to send ETH to get some PRL, DO NOT DO THIS or risk losing funds.
https://www.reddit.com/r/Oyster/comments/9sfy3y/problem_with_prl_contract/

Exchanges have paused the market.


https://www.kucoin.com/#/trade/PRL-BTC


https://www.cryptopia.co.nz/Exchange/?market=PRL_BTC


https://www.coinexchange.io/market/PRL/BTC
Jump to: