A breach of Oyster Protocol’s token smart contract yesterday resulted in the creation and theft (and subsequent sale) of more than 3 million PRL tokens.
3 Million Oyster Pearls (PRL) Minted and Stolen
Monday afternoon, reports of large transfers and massive selloffs of Oyster Pearl (PRL) tokens began to ripple across crypto social media channels. In less than 8 hours, PRL trading volume had skyrocketed from $156,351 to $1,577,860 – an increase of more than 900%. During the same time, the price of PRL fell by more than 63% – from $0.22 to $0.08.
So what happened?
A series of posts on Telegram and Twitter pointed to a breach of the project’s token smart contract. Community Manager William Halunen alerted Telegram users:
And the project’s official Twitter account tweeted the following:
2/2 Earlier this morning directorship was transferred by the original Ethereum addressed controlled by Bruno Block, allowing the new director to mint 3 mil new PRL. We do not know any reason why this would be done and are currently looking into solutions.
— Oyster Protocol (@OysterProtocol) October 29, 2018
An update published later in the day confirmed the breach. An individual believed to be the project’s original founder and chief architect, “Bruno Block”, exploited a trapdoor mechanism in the guise of the transferDirector function in the token’s smart contract to transfer directorship to themselves. As the new director of the smart contract, he was able to effectively re-open the Oyster Pearl ICO and mint an estimated 3 to 4 million PRL tokens, which he then promptly sold on the KuCoin exchange.
Oyster CEO Bill Cordes explained that the unusually high trade volumes and large sell orders were the first indicators that something was wrong. From there, they “checked the block explorer and then did further research on the addresses in question and pieced it together in short order.”
Working with KuCoin, they quickly shut down PRL trading and withdrawals on the platform, but not before Block was able to get away with an estimated $300,000.
According to the update, Block is the only person who had the ability to transfer directorship within the smart contract. The Oyster team believes it was a calculated attack timed so that Block would be able to cash out before KuCoin’s new KYC procedures go into effect on November 1st. The new KYC measures would have limited anonymous traders to a maximum withdrawal of 2 BTC per day.
The team is confident that Block acted alone and that KuCoin was not complicit in the theft.
Who is Bruno Block?
That’s the kicker. Nobody seems to know. Even those that worked (virtually) with him on the Oyster project don’t know his identity. Block was rabidly protective of his anonymity and, when asked about it on Telegram, explained:
(I am anonymous) because I invented the protocol and that could have political repercussions in the distant future, considering the protocol is the first to enable truly guaranteed storage privacy.
The Oyster team has made public the BTC and ETH addresses that Block is believed to have withdrawn the stolen funds to:
BTC: 17pwqhD9dLGMcMZD9xvKxiePHNffHV5T6y
ETH: 0x0001Ee57Bb28415742248d946D35C7f87cfd5A54
They are asking anyone in the crypto community with information about the theft and/or Block’s identity to please contact them.
How Does Oyster Move Forward From Here?
Last night I spoke with Oyster Protocol CEO Bill Cordes about the breach and subsequent theft. He and the rest of the team appeared to have been as blindsided by the theft as the rest of the crypto community.
Cordes said:
What happened is nothing short of awful. The project founder and original team member [Bruno Block] who made the initial hires like me and got everyone on board is not the person you’d suspect would try and sabotage their own project.
His concern for the project’s investors and its community was evident, and he was adamant that he – and the team as a whole – would be doing everything possible to rectify the situation:
But I will be working tirelessly to try and right the wrongs that Bruno made today moving forward, even if that means doing so at some personal cost.
Cordes stressed that investors’ PRL holdings are safe and that:
We are still evaluating our options, but will most likely be executing a contract swap on the block just prior to this all happening (e.g. All PRL prior to the contract vulnerability will be exchanged at a 1:1 ratio to PEARL (or something to that effect)).
He also stated that they are looking at how best to help those who were taken advantage of by Block’s actions and that they will be doing everything possible to “make everyone whole.”
Will Bruno Block’s true identity ever be uncovered? More importantly, will he be held accountable for the theft and the impact it had on the PRL market? Let us know in the comments below.
Images courtesy of CoinMarketCap, DepositPhotos