CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
SudoRare Incident Analysis
8/22/2022
SudoRare Incident Analysis

TL;DR

SudoRare, a self proclaimed NFT AMM, committed an exit scam within 24 hours of deploying their smart contract that resulted in the loss of $852k. The deployer of SudoRare deployed an upgrade on the projects smart contract which implemented a “backdoor” that allowed the draining of funds. At the time of writing, the funds have been sent to 3 EOAs where the scammer will likely look to launder the assets.

Event Summary

We often see exit scams on tokens that have been deployed and then rugged on the same day. Usually, these exist scams do not tend to have major losses and in some cases can be attributed to money laundering. However in this case, the losses were $852k which is the second highest amount lost in an exit scam this month. It is almost certain that the marketing activity of the project before the exist scam took place contributed to the amount of funds lost.

SudoRare claimed to be an Automated Market Maker that combined features of SudoSwap with the tokenomics of Looks Rare. We can see how the platform looked to combine the features from the two platforms from their now deleted Twitter handle.

cb9982d2-1ba2-43e1-b43e-324bb244537b

In addition, their Medium channel which has also been deleted, posted an article explaining the utility and functionality of their token. However, one aspect of the article should have raised some suspicions:

7bd6bc14-f9be-466b-82b6-ef95810ac775

They claim that the project is currently run by two individuals who “will never dox” and will remain 100% anonymous. Claims like this should always be taken as a cautionary warning. It is always good to know who is behind a crypto project before you invest in it as you can vet their background and understand their skill set.

Looking onchain, we can see that the contract creator for SudoRare was funded by EOA 0x814d… which received 0.596 ETH from Kraken 4. From there, 0.28 ETH was sent to the contract creator of SudoRare.

1f9b2fa3-a743-4047-a843-4aa60854a68d

The stolen funds were collected in 0x8c4e… which was created by the SudoRare deployer. In total 241 successful deposits were made into the smart contract including EOA 0xfaFb… ,which was involved in the Nomand Bridge Exploit, deposited 24 WETH. However they managed to withdraw their funds before the exit scam took place.

a1f93814-dc80-489f-b105-da7828f92422

Attack Flow

This is how the exit scam took place:

  1. SudoRare creates multiple legitimate contracts as per the projects aim and publishes the code for transparency.

1a76af96-e793-44e9-ad82-13e6f0b82007

  1. SudoRare deploys an update to the contract which has a backdoor in it allowing an “operator” address to transfer out any tokens. The same address that deployed SudoRare.

1ac4f6ad-c61c-4761-8e73-de074ddb2dbf

b02d3614-b0b4-4ade-beae-c868a2be88bc

  1. The operator wallet calls GenesisV2Bootstrap which has the backdoor, and transfers out the following tokens which had been deposited by users:

1,153,216 LOOKS ($314k) 6.014 XMON ($210k) 200 WETH (~$320k)

2ad3e806-6c3e-4e64-a1d6-f8be90165396

  1. Multicall is called twice to convert the LOOKS and XMON tokens to ETH and Withdraw is called to unwrap the WETH to ETH.

00b7e27a-074b-496e-b83c-6f1781e3dccb

  1. The operator wallet calls Upgrade on the contract to patch the backdoor that they exploited.

Profit Tracing

As of writing, the ETH from this incident was split into 3 equal shares and sent to these wallets where it still sits. It is likely that the scammers are looking for ways to launder the stolen funds, however with the recent blacklist of Tornado Cash by OFAC, this isn’t as straight forward anymore.

  • 0x049…
  • 0xbfb…
  • 0x75c…

bb3200cd-eef5-4f55-9ee4-8f0d65f5c585

Conclusion

In previous exit scams of this nature, the next steps are very predictable with the funds almost certainly being deposited into Tornado Cash. However, since the blacklisting of the mixing protocol by OFAC, scammers have to think twice before they use the protocol. We saw this happening with the Curve Finance DNS attack where the hackers opted to send stolen assets to centralized exchanges as a primary option, and Tornado Cash as a secondary. It’s possible that in this case, the scammers will look to “peel” the stolen funds, sending small amounts to new addresses in an attempt to confuse the picture on where the funds originated from.

Transparency in a Web3 project should be a key consideration for an individual investing in a protocol. The fact that the SudoRare team announced that they will remain 100% anonymous should be a warning. Anonymous teams can reassure investors with a third party KYC to clear any doubts. With a CertiK KYC, our background investigators and analysts take a detailed look into the history of individuals behind a project. Checking the CertiK leaderboard for our KYC badge can help you DYOR into trusted projects.