Recently, there have been multiple Rug Pull incidents. The SharkTeam Security Research Team has conducted a detailed analysis of these incidents. During the analysis, we discovered that the Rugpull factory contract on the BNB Chain has initiated more than 70 Rugpulls in the past month. Next, we will analyze the fund traceability, fraudulent behavior patterns, and other aspects.
Due to space limitations, we will mainly analyze several token incidents, including SEI, X, TIP, and Blue. These tokens were created through the createToken operation of the token factory contract 0xDC4397ffb9F2C9119ED9c32E42E3588bbD377696.
In the createToken function, the following parameters need to be passed in when creating a token: token name, token symbol, precision, supply, token owner address, factory contract address for creating token pairs, and BUSD-T stablecoin address. Among them, the factory contract for creating token pairs uses the factory contract of LianGuaincakeSwap, and each token has a different owner address.
- Recent Progress in Three Vertical Fields of Avalanche
- Variant Founder Scholarship Incubation Program Demo Day What projects are there?
- Does the showcase effect apply to the current DEX competition?
1. Fund Traceability
The owner addresses, symbols, and contract addresses of the SEI, X, TIP, and Blue tokens are shown in the following figure. The owner addresses of X, TIP, and Blue are:
0x44A028Dae3680697795A8d50960c8C155cBc0D74.
The funds from 0x44A028Da come from 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3, and the funds from 0x0a8310ec come from multiple EOA accounts, with a common address of 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3.
Below is the relevant information of the token factory contract 0xDC4397ffb9F2C9119ED9c32E42E3588bbD377696. The factory contract was created by the address 0x1dE949eac4b5fc1B814E733CD56AE65DfF1bcEEF. The funds from the address 0x1dE949ea come from multiple accounts, with one source address being 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3.
The fund source of the address 0x072e9A13 is as follows: the address 0x1dE949ea has partial fund interactions. Other addresses have also created factory token contracts and are Rug Pullers of some tokens.
For example, the funds from 0x04067B4fcC9f3d99aC5211cfE8d3e8687B0401d3 come from 0x6ae8F98830894518c939B0D0A5EF11c671e9DFCa. And 0x6ae8F988 created the factory contract 0xe83EbBb4acc3d8B237923Ee333D04B887ca1a008. This factory contract also performed the same token creation behavior:
We chose one of the tokens for analysis and found that the token has a Rug Pull behavior.
Part of the funds of 0x6ae8F988 comes from 0xa6764FBbbFD89AEeBac25FCbB69d3E9438395e57, and the funds of this address come from 0xE5A5c50980176Cc32573c993D0b99a843D77BC6E. The funds of address 0xE5A5c509 are provided by the Tornado Cash address, with a fund of 10 BNB. In addition to the funds provided by Tornado, there are also profits obtained through phishing and token Rug Pull.
In addition, the above addresses play an important role in the upcoming Rugpull factory fraud pattern.
II. Rugpull Factory Fraud Pattern
Let’s take a look at the Rugpull factory fraud patterns of SEI, X, TIP, and Blue tokens together.
(1) SEI
First, the owner of the SEI token, 0x0a8310eca430beb13a8d1b42a03b3521326e4a58, exchanged 1u at a price for 249 SEI tokens.
Then, 0x6f9963448071b88FB23Fd9971d24A87e5244451A conducted batch buy and sell operations. Under the buy and sell operations, the token liquidity increased significantly, and the price also increased.
Through phishing and other methods of promotion, a large number of users were tempted to buy, and with the increase in liquidity, the token price doubled.
When the price of the token reached a certain value, the token owner entered the sell operation for Rugpull. As can be seen from the following figure, the time and price of entry for harvesting are different.
(2) X, TIP, Blue
First, the owners of X, TIP, and Blue tokens, 0x44A028Dae3680697795A8d50960c8C155cBc0D74, exchanged 1u for the corresponding tokens. Then, similar to the Sei token, 0x6f9963448071b88FB23Fd9971d24A87e5244451A conducted batch buy and sell operations. Under the buy and sell operations, the liquidity increased significantly, and the price increased.
Then, through phishing and other means of promotion, a large number of users were tempted to buy, and with the increase in liquidity, the token price doubled.
Similar to SEI, when the price of the token reached a certain value, the token owner entered the sell operation for Rugpull. As can be seen from the following figure, the time and price of entry for harvesting are different.
The volatility charts of SEI, X, TIP, and Blue tokens are as follows:
Based on fund tracing and behavioral patterns, we can infer the following:
In terms of fund tracing, the funds of the token factory creator and token creators come from multiple EOA accounts. There are also fund transfers between different accounts, some of which are transferred through phishing addresses, some are obtained through previous token Rugpull behaviors, and some are acquired through platforms like Tornado Cash for coin mixing. The use of multiple methods for fund transfers aims to build a complex and intricate fund network. Different addresses have also created multiple token factory contracts and produced a large number of tokens.
When analyzing token Rugpull behaviors, we found that address 0x6f9963448071b88FB23Fd9971d24A87e5244451A is one of the sources of funds. Batch operations were also used when manipulating token prices. Address 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3 also serves as a provider of funds, providing corresponding funds to multiple token holders.
In conclusion, behind these series of actions is a well-organized Web3 scam group, forming a black industrial chain mainly involved in hot topic collection, automatic token issuance, automatic trading, false advertising, phishing attacks, and Rugpull harvesting, which frequently occur on the BNBChain. The Rugpull false tokens issued are closely related to hot industry events, with strong deception and incitement. Users must remain vigilant, stay rational, and avoid unnecessary losses.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
