Beware of Covert Rug Pulls, Exit Scams Driven by Contract Storage Manipulation

SlowMist
7 min readJul 26, 2023

Background

From the summer of DeFi to the present day, we’ve weathered a storm of vulnerabilities, backdoors, exit scams, and other underhanded tactics. We’ve learned the hard way to be vigilant, scrutinizing token contract permissions, checking token distributions, and reviewing contract codes to protect our assets when we participate in new projects on decentralized exchanges. However, as we’ve grown more savvy, the tactics employed by malicious actors have also become increasingly sophisticated and covert.

Recently, our attention was drawn to a distress signal from PancakeSwap community members. They had discovered something alarming: during their participation in a project, they noticed malicious users engaging in a massive token minting operation — one that had gone unrecorded. Not only that, these bad actors had taken off with a significant portion of the pool’s funds.

Prompted by these events, the SlowMist security team launched an investigation to delve deeper into the case. Below, we share our findings and analysis.

Analysis

The malicious token, IEGT, was deployed on BSC at [0x8D07f605926837Ea0F9E1e24DbA0Fb348cb3E97D]. By observing its holders on the blockchain explorer, we found that while the addresses “dead” and “pair” hold a significant amount of IEGT tokens, the contract recorded totalSupply still stands at 5,000,000.

Further investigation into the source of these tokens revealed that the tokens within [0x00002b9b0748d575CB21De3caE868Ed19a7B5B56] only have outgoing transactions with no incoming ones.

As stipulated in the EIP20 standard, the Transfer event must be implemented when tokens are transferred, including token minting from the 0x0 address, which must also record the event. Blockchain explorers rely on these standardized event logs for data analysis. Therefore, if we find a discrepancy between the total amount of tokens and the actual number in the blockchain explorer, it indicates that no event was recorded when the tokens were minted, causing the blockchain explorer to only count the balance changes of related addresses after the transfer and not record any token minting. Based on this, we can ascertain that malicious code for token minting exists in the token contract.

The token contract code is open-source, presumably a move by the project team to enhance the project’s credibility. We proceeded to analyze its source code. The simplest way to mint tokens is to implement a method that directly increases the balance of a specified address. In the current contract, a _balances mapping is defined to keep track of users’ token balances. However, upon inspection, no code was found in the contract that modifies the _balances of a specified address.

If there is no code to directly increase the balance, then how did the project team mint tokens? A review of the basic knowledge of smart contracts reveals that changes in user token balance essentially modify the data state stored on the chain by the contract. Therefore, altering the data slot corresponding to a specific address’s _balances within the contract storage can change its token balance.

Let’s quickly revisit how EVM calculates the storage location of contract data. For the mapping type _balances, it uses the keccak256 hash of its key value k and its position p as an offset for its storage slot, i.e., keccak256(k,p). By analyzing the IEGT contract’s data storage position, we found that the position of its _balances parameter is slot0, so the storage location of the user’s balance is keccak256(address,0).

By entering the malicious address, we can calculate its balance storage location as [0x9d1f25384689385576b577f0f3bf1fa04b6829457a3e65965ad8e59bd165a716]. Further search for changes in this slot’s data revealed that it was modified to a tremendous value at the time of contract deployment.

Therefore, we can confirm that during the initialization of the IEGT contract, the project team covertly minted a large amount of tokens, primed for a rug pull. Next, we followed up with an analysis of its initialization function and found that during the _pathSet operation, the project team used inline assembly to modify the contract storage and purposely didn’t format the code to enhance its concealment.

By calculating, we found the y value to be [2b9b0748d575cb21de3cae868ed19a7b5b56]. By two mstore operations, memory positions 0 to 64 bytes were filled with [00000000000000000000000000002b9b0748d575cb21de3cae868ed19a7b5b56], and the address with maliciously increased token balance is [0x00002b9b0748d575CB21De3caE868Ed19a7B5B56]. It appears that the malicious user constructed a chain of data calculations that precisely led to the target address they control. Therefore, we can also find this calculated yet unpadded “address” in the compiled bytecode.

Right after, by performing keccak256 on the data in memory positions 0 to 64 bytes, we get the malicious user’s balance storage slot position [0x9d1f25384689385576b577f0f3bf1fa04b6829457a3e65965ad8e59bd165a716]. This is why the _balances were placed at slot0 in the contract, greatly facilitating the calculation of the actual storage position of the balance in the inline assembly. The following sstore operation then modifies the contract storage value at this position to the sixth power of the current timestamp. This completes the modification of the balance of the specified address. The subsequent inline assembly operations are similar and won’t be elaborated on here.

At this point, we now understand that the project team covertly minted a large number of tokens unbeknownst to other users by modifying the balance of a specific address during contract initialization using inline assembly. This led to users getting rug pulled when participating in the project.

Tracking

By using MistTrack to analyze the event, we found the scammers addresses on the BSC chain to be 0x000000481F40f88742399A627Cbc2Afb6Ec34FeD and 0x00002b9b0748d575CB21De3caE868Ed19a7B5B56. Together, they had a combined value of ~1.14 million USDT. The initial fee for transferring the USDT from the scammers addresses came from withdrawals from the Binance exchange.

The current status of the fund transfers is as shown below:

Moreover, the gas fee address 0xb795ad917DAF9A1c98eE18E03E81B9A5F73bc7c1 is used to provide gas fees for multiple rug pull contract interactions, suggesting the existence of a professional rug pull organization.

Conclusion and Recommendations

This case demonstrates a sophisticated token minting operation, with the rug pull executed covertly via contract storage manipulation. This exemplifies that simply reviewing the visible contract code is not enough. Market participants should also be aware of the possible manipulation of contract storage, particularly during contract initialization. According to SlowMist Hacked statistics, up to now, the amount of losses caused by Rug Pull is close to 500 million US dollars.

In general, for your asset safety, we recommend the following steps:

1. Be cautious when interacting with unknown or new projects, especially those offering high returns.

2. Scrutinize contract permissions, check token distribution, and review contract code before participating in a project.

3. Be aware of the possibility of covert operations like the one described in this article.

4. Use professional security tools to analyze suspicious contract interactions and monitor asset transfers.

5. Always remember the golden rule of investing: Don’t invest more than you can afford to lose.

Remember, the crypto market is highly speculative and volatile. While the potential for high returns can be attractive, it’s essential to understand the risks involved and conduct thorough research before diving in.

As always, stay vigilant!

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, Cheers UP, etc.

SlowMist offers a variety of services that include by are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.

Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.