CertiK Logo
CertiK Logo
Products
Company
incident-response
Back to all stories
Analysis Reports
Santa Coin Incident Analysis
11/25/2022
Santa Coin Incident Analysis

TL;DR

On October 24, 2022, the Santa Coin team conducted an exit scam on $SANTA token and stole 765 BNB (~$209K) from $SANTA holders. The deployer has been slowly draining liquidity over a long period of time; however, our analysis explicitly focuses on the funds drained on October 24, 2022.

Introduction

Santa Coin was originally launched as a meme coin in November 2021. The Santa Coin team claimed to be expanding with the addition of experienced developers and crypto marketers that will “carry on with the vision of creating a rewarding ecosystem focused on Defi & NFT P2E gaming”.

On August 15, the Santa Coin moderator posted an announcement in the Official Santa Coin Telegram that was later edited by the team. It is unclear what the announcement from the Santa Coin team originally said. It appears that the Santa Coin team planted the message on August 15 2022, so that the moderator could go back and make it appear to holders that this incident was a migration rather than an exit scam while taking additional funds from holders who attempted to migrate through the fake migration phishing link.

Santa coin image 1 Image: Santa Coin moderator Telegram migration announcement Screen Shot 2022-11-23 at 9.10.40 AM Image: Phishing Link from Santa Coin moderator Telegram announcement

The link provided in the Santa Coin Telegram announcement led $SANTA holders to phishing website Coin Trading Solution (hxxps://vnxymiigrattiiontechliveweb.homes). According to who.is, Coin Trading Solution was registered on November 1st, eight days after the incident. Screen Shot 2022-11-23 at 9.41.59 AM Image: Coin Trading Solution website

Users were then prompted to select the option to migrate (various other functions were also available); the website then asked holders to provide their private keys (pictured below). Screen Shot 2022-11-23 at 10.23.14 AM Image: Coin Trading Solution prompt for private keys

Attack Flow

The Santa Coin deployer called the removeLiquidity() function to drain the liquidity from the Pancakeswap pool, removing approximately 600 BNB in multiple transitions.

The deployer then sent 39,535,213,129,140 $SANTA tokens to the second actor 0xc80... in the following transaction: 0x35b97e72048419c7fc056e255af27aa36523031e1b7be7000e644a5d6845f2f6

Finally, the second rugpuller then sold these tokens for 165 BNB.

Addresses

Santa Coin: https://bscscan.com/token/0x4f1a6fc6a7b65dc7ebc4eb692dc3641be997c2f2

Deployer (first rugpuller): https://bscscan.com/address/0x1a97098b09b8be6b457fab6f14f9cbe42c19a2f5

Second rugpuller: https://bscscan.com/address/0xc80d7eb1526364e6734c9a35ea56471ea91fae60

Pancakeswap pool: https://bscscan.com/address/0xfdf3b6a027839a30a5de3e355708fd45c323f7ec

Exploit Transactions

In this exit scam, there are many token sales and remove liquidity transactions:

Deployer (first rugpuller): https://bscscan.com/tx/0xdd3bb66b981cd13d0f8c4bbc5caf0c26d402b823c6998595c1292e6958a9e280 https://bscscan.com/tx/0x28e4d7b7ab53b993f139c7aa24c93bd050e09ba6235163b1425757a889746161

Second rugpuller: https://bscscan.com/tx/0xe5bfde849d9e2a3945fc49df795c197c76377598714ba5e1f36a72641d45715c

https://bscscan.com/tx/0xa8cbb632385c5864334487dbbeb23c766843d3b6f3044301ac905d1de8b5ce52

https://bscscan.com/tx/0x1c0c535426e8e0877e5bea97caf484f32fe4552558e33f286fed176b7f0deba7

See DeBank | Your DeFi wallet for a complete list

Profits and Asset Tracing

Total funds lost from holders in this exit scam was around 765 BNB (~$209K). The 595 BNB has been transferred from the deployer wallet (first rugpuller) to 0xc94. Funds were then transferred to wallet 0xc40. The other 165 BNB from the second rugpuller has been sent to account 0xc40. Since the incident, 0xc40 distributed the tokens to Pancakeswap, BUSD-T Stable coin, and 0xb2E.

Conclusion

It is almost certain that this token was designed to be an exit scam from the beginning. The issue lies in intentional poor contract design and the initial token distribution created by the actors. Since the incident, Santa Coin’s Twitter is still up and has been stripped of previous promotional tweets of Santa Coin. Is this in preparation for a promotion of a new coin this year?

Protect yourself and your assets by following @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news, and visiting certik.com as part of your due diligence.

Do your own research and beware of scam tokens this holiday season!