Author

Topic: Substratum (SUB) suffers a similar vulnerability as the Oyster (PRL) scam (Read 243 times)

legendary
Activity: 2268
Merit: 18771
Alright, I'll just come out and say it now because I'm righteously terrified now and paranoia in crypto is best asset out there. All I just need is a link to any literature that covers how to understand smart contract codes. Doesn't have to be in depth. Just a soft foundation to get a leg up (most of what I'm seeing seems to assume you can IF and ELSE already)

So smart contracts on Ethereum are written in a programming language called Solidity. The language was created by the original Ethereum core team for the sole purpose of writing smart contracts.

If you have a background in computer programming, then learning and understanding Solidity should be relatively easy for you. If you don't, it might be a bit of a challenge. The official Solidity Documentation can be found here (https://solidity.readthedocs.io/en/v0.4.25/), but as you say, it assumes a level of knowledge that you might not have. You could also try checking out this page (https://medium.com/@robbertvermeulen/learn-solidity-the-ethereum-smart-contract-programming-language-7f106fc26d6), which links to several other courses and video tutorials about how Solidity works.
sr. member
Activity: 1050
Merit: 295
Is it possible that these ICOs outsourced their smart contract creation to the same freelancer or just blatantly copied from the same source and hence the reason why they both have similiar vulnerabilities?
Don't know which scenario is more terrifying

Not in this case. Although the outcome from the two vulnerabilities is the same (i.e. having the ability to create as many new tokens as the owner wants out of thin air), the actual vulnerabilities, the code leading to said vulnerabilities, is quite different. If you have a look at my original post, you can see in the case of PRL it was due to "directorLock" never being set to true. This gave the anonymous scammer known as "Bruno" the ability to do anything to the smart contract. He could have completely erased the entire token if he wanted. Instead he started a new ICO, sold himself $300,000 worth of tokens for nothing, and then dumped these tokens on KuCoin. In the case of SUB, there is a function written in to the smart contract (again, see my first post) that allows the owner to "mint" tokens to any address - an even more efficient way of just creating tokens out of thin air.

This is not to say that there aren't other tokens out there suffering from similar or even the exact same vulnerabilities. It is absolutely possible these two and/or others have plagiarized from the same source or from each other. There are also many other ways you could rig a smart contract to allow you to exit scam.
Alright, I'll just come out and say it now because I'm righteously terrified now and paranoia in crypto is best asset out there. All I just need is a link to any literature that covers how to understand smart contract codes. Doesn't have to be in depth. Just a soft foundation to get a leg up (most of what I'm seeing seems to assume you can IF and ELSE already)
legendary
Activity: 2268
Merit: 18771
Is it possible that these ICOs outsourced their smart contract creation to the same freelancer or just blatantly copied from the same source and hence the reason why they both have similiar vulnerabilities?
Don't know which scenario is more terrifying

Not in this case. Although the outcome from the two vulnerabilities is the same (i.e. having the ability to create as many new tokens as the owner wants out of thin air), the actual vulnerabilities, the code leading to said vulnerabilities, is quite different. If you have a look at my original post, you can see in the case of PRL it was due to "directorLock" never being set to true. This gave the anonymous scammer known as "Bruno" the ability to do anything to the smart contract. He could have completely erased the entire token if he wanted. Instead he started a new ICO, sold himself $300,000 worth of tokens for nothing, and then dumped these tokens on KuCoin. In the case of SUB, there is a function written in to the smart contract (again, see my first post) that allows the owner to "mint" tokens to any address - an even more efficient way of just creating tokens out of thin air.

This is not to say that there aren't other tokens out there suffering from similar or even the exact same vulnerabilities. It is absolutely possible these two and/or others have plagiarized from the same source or from each other. There are also many other ways you could rig a smart contract to allow you to exit scam.
sr. member
Activity: 1050
Merit: 295
if he overlook this problem then his project will not success because it has a problem with its code

The issue here is that the vast majority of people who buy in to ICOs and tokens don't read the smart contract, and probably don't have the knowledge to understand what they were reading even if they did read it. The vulnerability in Oyster Pearl has been sitting there since their ICO - not a single person who sent them money bothered to read the contract and pick it up. The vulnerability in Substratum is the same.

These projects prove that not only can your smart contract be poorly written, it can literally be designed entirely to let you pull off an exit scam, and it doesn't matter. Idiots won't read it and will continue to send you their money because they read some baseless shilling. I am not sure how many projects need to turn out to be blatant scams before people will smarten up a bit.
Is it possible that these ICOs outsourced their smart contract creation to the same freelancer or just blatantly copied from the same source and hence the reason why they both have similiar vulnerabilities?
Don't know which scenario is more terrifying
legendary
Activity: 2268
Merit: 18771
They have added the possibility to erase and freeze your token. This is shady as fuck.

It's sad, really. Take a look at EOS. Not only do they have the ability to print more EOS at will, they can also freeze your account, reverse your transactions and confiscate your coins at any time, and there is nothing you can do about it. They don't even hide these facts - instead they advertise them in their "constitution". Not to mention that the majority of the dev team have already taken their profits from the ICO and exited the project. It's the complete opposite of what a decentralized cryptocurrency should be. And yet, they were the biggest ICO ever, are number 5 in terms of marketcap, and this forum and others are full of people spamming utter nonsense about their "great team" and "solid project".

If people are willing to give $4 billion to such an obvious scam, then there is no hope that they will be able to pick out a few lines of malicious code in a smart contract.
full member
Activity: 896
Merit: 117
PredX - AI-Powered Prediction Market
if he overlook this problem then his project will not success because it has a problem with its code

The issue here is that the vast majority of people who buy in to ICOs and tokens don't read the smart contract, and probably don't have the knowledge to understand what they were reading even if they did read it. The vulnerability in Oyster Pearl has been sitting there since their ICO - not a single person who sent them money bothered to read the contract and pick it up. The vulnerability in Substratum is the same.

These projects prove that not only can your smart contract be poorly written, it can literally be designed entirely to let you pull off an exit scam, and it doesn't matter. Idiots won't read it and will continue to send you their money because they read some baseless shilling. I am not sure how many projects need to turn out to be blatant scams before people will smarten up a bit.
Yeah right they just been hype by others or they bought thr token without any idea of whitepaper, that's a really big problem for some newbies out there. I noticed for some people they just speculate the price.
hero member
Activity: 2996
Merit: 536
Leading Crypto Sports Betting & Casino Platform
If you've not been reading the news lately, the CEO of Oyster Pearl abused a vulnerability in their smart contract to create 3 million new PRL out of thin air and dump them on the market.

https://etherscan.io/address/0x1844b21593262668b7248d0f57a220caaba46ab9#readContract
Quote
Number 18 - directorLock "false"

For those that don't know, this essentially allows the owner to do literally anything he wants, which in this case meant creating 3 million tokens out of thin air and giving them to himself to sell. As a result, the market has crashed and all PRL owners have lost about 90% of their money overnight.



Now, on to Substratum. Have a look at their smart contract here, particularly at line 136:

https://etherscan.io/address/0x12480e24eb5bec1a9d4369cab6a80cad3c0a377a#code

Code:
function mintToken(address target, uint256 mintedAmount) onlyOwner {
balanceOf[target] += mintedAmount;
totalSupply += mintedAmount;
Transfer(0, this, mintedAmount);
Transfer(this, target, mintedAmount);
}

This essentially lets them do the same thing. At any time they want, they can just create a thousand, a million, a billion new tokens out of thin air and give them to themselves to dump. This is without even mentioning that the 120 million tokens they supposedly burnt weren't burnt at all. They are here: https://etherscan.io/address/0xd41d37f9865cc121f71957e6eafb09cbdc98d6c3#tokentxns But it's OK though, cause the devs have totally promised that they deleted the private key to that wallet.

Now I'm not saying they will mint more tokens, but it's incredibly shady they wrote in the ability to let them if they wanted, and also incredibly shady to say they are doing a token burn and actually just send the tokens to another wallet that they created. If was holding any SUB, I would be selling it ASAP.
I didn't even believe if they were probably doing it before. They have wrote a backdoor for themselves remember the developer of bancor has been putting back door to control the token and they can generate more and more bancor anytime.
They have added the possibility to erase and freeze your token. This is shady as fuck.
legendary
Activity: 2268
Merit: 18771
if he overlook this problem then his project will not success because it has a problem with its code

The issue here is that the vast majority of people who buy in to ICOs and tokens don't read the smart contract, and probably don't have the knowledge to understand what they were reading even if they did read it. The vulnerability in Oyster Pearl has been sitting there since their ICO - not a single person who sent them money bothered to read the contract and pick it up. The vulnerability in Substratum is the same.

These projects prove that not only can your smart contract be poorly written, it can literally be designed entirely to let you pull off an exit scam, and it doesn't matter. Idiots won't read it and will continue to send you their money because they read some baseless shilling. I am not sure how many projects need to turn out to be blatant scams before people will smarten up a bit.
member
Activity: 336
Merit: 11
Victorieum Digital Wallet Revolution
It is normal, after all too many coins are just pure copies of some of the chains that were more trendy in a certain moment, like IOTA, but the team and technical background is nil.
full member
Activity: 632
Merit: 122
I don't know this PRL, but that's clearly a scam.
 this SUB just looks the same.

I fear that a Smartcontract vulnerability crash ethereum some day.

One of the things most acclaimed about ethereum is that it is Turing Complete, which means anything is programmable. However, this can be considered a security flaw, and it can be exploited through smartcontracts to harm the network.

smart contract vulnerability does not have any relation with ETH, it is all about the source code and the creator, that means it is all up to the creator himself.
if he overlook this problem then his project will not success because it has a problem with its code and it is not ETH problem because the code was built by the team instead of ETH itself.

exploiting it will harm the project instead of the network, because the bug that was created was aimed for the project itself.

legendary
Activity: 2352
Merit: 6089
bitcoindata.science
I don't know this PRL, but that's clearly a scam.
 this SUB just looks the same.

I fear that a Smartcontract vulnerability crash ethereum some day.

One of the things most acclaimed about ethereum is that it is Turing Complete, which means anything is programmable. However, this can be considered a security flaw, and it can be exploited through smartcontracts to harm the network.
legendary
Activity: 2268
Merit: 18771
If you've not been reading the news lately, the CEO of Oyster Pearl abused a vulnerability in their smart contract to create 3 million new PRL out of thin air and dump them on the market.

https://etherscan.io/address/0x1844b21593262668b7248d0f57a220caaba46ab9#readContract
Quote
Number 18 - directorLock "false"

For those that don't know, this essentially allows the owner to do literally anything he wants, which in this case meant creating 3 million tokens out of thin air and giving them to himself to sell. As a result, the market has crashed and all PRL owners have lost about 90% of their money overnight.



Now, on to Substratum. Have a look at their smart contract here, particularly at line 136:

https://etherscan.io/address/0x12480e24eb5bec1a9d4369cab6a80cad3c0a377a#code

Code:
function mintToken(address target, uint256 mintedAmount) onlyOwner {
balanceOf[target] += mintedAmount;
totalSupply += mintedAmount;
Transfer(0, this, mintedAmount);
Transfer(this, target, mintedAmount);
}

This essentially lets them do the same thing. At any time they want, they can just create a thousand, a million, a billion new tokens out of thin air and give them to themselves to dump. This is without even mentioning that the 120 million tokens they supposedly burnt weren't burnt at all. They are here: https://etherscan.io/address/0xd41d37f9865cc121f71957e6eafb09cbdc98d6c3#tokentxns But it's OK though, cause the devs have totally promised that they deleted the private key to that wallet.

Now I'm not saying they will mint more tokens, but it's incredibly shady they wrote in the ability to let them if they wanted, and also incredibly shady to say they are doing a token burn and actually just send the tokens to another wallet that they created. If was holding any SUB, I would be selling it ASAP.
Jump to: