CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Reports
Incident Analysis
Santa Coin Incident Analysis
11/25/2022
Santa Coin Incident Analysis

TL;DR

On October 24, 2022, the Santa Coin team conducted an exit scam on $SANTA token and stole 765 BNB (~$209K) from $SANTA holders. The deployer has been slowly draining liquidity over a long period of time; however, our analysis explicitly focuses on the funds drained on October 24, 2022.

Introduction

Santa Coin was originally launched as a meme coin in November 2021. The Santa Coin team claimed to be expanding with the addition of experienced developers and crypto marketers that will “carry on with the vision of creating a rewarding ecosystem focused on Defi & NFT P2E gaming”.

On August 15, the Santa Coin moderator posted an announcement in the Official Santa Coin Telegram that was later edited by the team. It is unclear what the announcement from the Santa Coin team originally said. It appears that the Santa Coin team planted the message on August 15 2022, so that the moderator could go back and make it appear to holders that this incident was a migration rather than an exit scam while taking additional funds from holders who attempted to migrate through the fake migration phishing link.

Santa coin image 1 Image: Santa Coin moderator Telegram migration announcement Screen Shot 2022-11-23 at 9.10.40 AM Image: Phishing Link from Santa Coin moderator Telegram announcement

The link provided in the Santa Coin Telegram announcement led $SANTA holders to phishing website Coin Trading Solution (hxxps://vnxymiigrattiiontechliveweb.homes). According to who.is, Coin Trading Solution was registered on November 1st, eight days after the incident. Screen Shot 2022-11-23 at 9.41.59 AM Image: Coin Trading Solution website

Users were then prompted to select the option to migrate (various other functions were also available); the website then asked holders to provide their private keys (pictured below). Screen Shot 2022-11-23 at 10.23.14 AM Image: Coin Trading Solution prompt for private keys

Attack Flow

The Santa Coin deployer called the removeLiquidity() function to drain the liquidity from the Pancakeswap pool, removing approximately 600 BNB in multiple transitions.

The deployer then sent 39,535,213,129,140 $SANTA tokens to the second actor 0xc80... in the following transaction: 0x35b97e72048419c7fc056e255af27aa36523031e1b7be7000e644a5d6845f2f6

Finally, the second rugpuller then sold these tokens for 165 BNB.

Addresses

Santa Coin: https://bscscan.com/token/0x4f1a6fc6a7b65dc7ebc4eb692dc3641be997c2f2

Deployer (first rugpuller): https://bscscan.com/address/0x1a97098b09b8be6b457fab6f14f9cbe42c19a2f5

Second rugpuller: https://bscscan.com/address/0xc80d7eb1526364e6734c9a35ea56471ea91fae60

Pancakeswap pool: https://bscscan.com/address/0xfdf3b6a027839a30a5de3e355708fd45c323f7ec

Exploit Transactions

In this exit scam, there are many token sales and remove liquidity transactions:

Deployer (first rugpuller): https://bscscan.com/tx/0xdd3bb66b981cd13d0f8c4bbc5caf0c26d402b823c6998595c1292e6958a9e280 https://bscscan.com/tx/0x28e4d7b7ab53b993f139c7aa24c93bd050e09ba6235163b1425757a889746161

Second rugpuller: https://bscscan.com/tx/0xe5bfde849d9e2a3945fc49df795c197c76377598714ba5e1f36a72641d45715c

https://bscscan.com/tx/0xa8cbb632385c5864334487dbbeb23c766843d3b6f3044301ac905d1de8b5ce52

https://bscscan.com/tx/0x1c0c535426e8e0877e5bea97caf484f32fe4552558e33f286fed176b7f0deba7

See DeBank | Your DeFi wallet for a complete list

Profits and Asset Tracing

Total funds lost from holders in this exit scam was around 765 BNB (~$209K). The 595 BNB has been transferred from the deployer wallet (first rugpuller) to 0xc94. Funds were then transferred to wallet 0xc40. The other 165 BNB from the second rugpuller has been sent to account 0xc40. Since the incident, 0xc40 distributed the tokens to Pancakeswap, BUSD-T Stable coin, and 0xb2E.

Conclusion

It is almost certain that this token was designed to be an exit scam from the beginning. The issue lies in intentional poor contract design and the initial token distribution created by the actors. Since the incident, Santa Coin’s Twitter is still up and has been stripped of previous promotional tweets of Santa Coin. Is this in preparation for a promotion of a new coin this year?

Protect yourself and your assets by following @CertiKAlert on Twitter to stay up to date on all the latest Web3 security news, and visiting certik.com as part of your due diligence.

Do your own research and beware of scam tokens this holiday season!

Related Stories
Hedgey Finance Incident Analysis
Blogs
Incident Analysis
New
On 19 April 2024, Hedgey Finance was exploited for approximately $2 million on Ethereum in addition to a number of BONUS tokens on Arbitrum. The attacker took advantage of an oversight in the project’s ClaimCampaigns contract in which token approvals were not revoked, meaning anyone who used the createLockedCampaign() function could transfer tokens from the contract to themselves.
5/6/2024
Risk On Blast Incident Analysis
Blogs
Incident Analysis
On 24 February, GambleFi project RiskOnBlast is thought to have become the first confirmed exit scam to occur on the Blast ecosystem, a layer-2 project on Ethereum.
3/29/2024
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;