Introduction
On 17 January, 2023 the Yield Robot contract on the Binance Smart Chain (BSC) was drained of user deposits amounting to approximately $2.1 million. Initially, the Yield Robot team announced on social media channels that their project was exploited. However, clear on-chain evidence shows that this incident is an exit scam.
Event Summary
On 17 January, 2023 approximately 2.1 million BUSD was drained from the Yield Robot contract in what was described as an exploit by the project's team on Telegram. An individual that goes by Maneesh Agrawala posted on the project's Telegram channel that Yield Robot had suffered an attack and that Maneesh was attempting to reach out to the hacker. Maneesh also confirmed this incident was not an exit scam and they are taking personal responsibility for what happened. To appear genuine, Maneesh promised to use their personal funds in order to make investors whole.
Image: Announcement on Yield Robot Telegram. Source: Telegram.
However, 48 hours past from the initial incident and no further announcements were made. In fact, the projects socials were deleted making it clear that this was an exit scam. Furthermore, on-chain evidence shows strong evidence that project members were closely involved in this incident. For example, the deployer of the Yield Robot contracts initiates transactions that contribute to the theft of investor funds.
Attack Analysis
The incident is possible due the projects signer wallet that was changed. This change allowed the exploiter to redeem a coupon that would otherwise have been rejected.
- Yield Robot implemented a coupon system. Users were able to earn and redeem coupons which would add to their reward balance. For coupons to be valid they needed to be signed by a signer address. Two days prior to this incident, the Yield Robot deployer (0x6306a) changed the signer wallet address to EOA 0x3f531.
Source: BscScan
- On 17 Jan, 2023 EOA 0x8f2db called the setCoupon() function in the Yield Robot contract and passed in the data in the screenshot below.
Image: EOA 0x8f2db claims a coupon worth around $2.1m. Source: BscScan
In order for the coupon to be approved, the contract verified that the coupon signer matched the current signer address. The coupon passed this check and the coupon amount of approximately $2.1m was added to the reward balance of EOA 0x8f2db.
Source: BscScan
- After successfully claiming the coupon, EOA 0x8f2db deposits $1 into the Yield Robot contract. The Yield Robot contract conducted a check which stated that a user must have made at least one deposit before being allowed to claim rewards.
Source: BscScan
- EOA 0x8f2db then called claimAllReward() which transferred their reward balance to their wallet. In total $2,119,706 was transferred to EOA 0x8f2db.
Source: BscScan
- In an effort to gain more funds from users, the Yield Robot deployer wallet (0x6306A) was used to create an unverified contract. The unverified contract, which has been partially decompiled, appears to be a copy of the Yield Robot contract. Given the behaviour of this new contract, it is likely a copy/paste that maintains all the correct functionality, with the exception of the Yield Robot deposit address changed to 0x8f2db.
As new deposits were made, the funds were sent to 0x8f2db. After approximately 20 hours, new deposits were reverted back to the original deposit wallet (0xb8CDa).
Source: BscScan
Source: BscScan
Conclusion
The Yield Robot incident is the third largest exit scam that occurred in 2023, with all attacks this year totaling over $10 million at the time of writing. The incident was able to occur due to centralization risks within the project, where the deployer was able to set signers to whichever wallet they wanted. Centralization in projects can present a major risk to crypto projects as they present a single point of failure that could either be exploited by an external malicious actor or an insider. You can search for CertiK audited projects on certik.com to check which projects have centralization risks which can assist you in doing your own research. Follow @CertiKAlert on Twitter to stay up to date with all the relevant Web3 security news and incidents as they occur.
