Introduction

On 9 October, the price of LSC token dropped by 99% due to a token dump carried out by externally owned address 0x9Ef72 which withdrew LSC tokens from two contracts owned by the Lucky Star Currency project. The tokens were then swapped for approximately $1.1 million making it the largest exit scam seen in October so far.

Event Summary

The Lucky Star Currency project consists of a token contract, Award Center contract and a NFT Merge contract. The owner of the Award Center and NFT Merge contract called withdrawToken which transferred a total of 3,095,977.40 LSC tokens to the owner. The ithdrawToken function is privileged and can only be called by the owner of the contracts.

From there, 3 million LSC tokens were swapped for USDT causing an approximate 98% slippage.

The 1.1 million USDT were then transferred to EOA 0x23f8c which currently holds 1.2 million USDT. This wallet also received USDT from a number of EOAs that date back to 18 July. However, there is currently no indication that the funds sent to EOA 0x23f8c on 18 July originated from malicious activity.

The project’s Telegram admin posted an alert claiming that the project has been attacked by a hacker which they state took place during a systems upgrade. The supposed update was announced on the 8 October and claimed to include a modified reward display page, market page optimization, and a countdown logic optimization. The on-chain activity clearly shows that the owner of the AwardCenter and NFTMerge contracts calling the privileged function and then swapping the LSC tokens for USDT.

This would mean that the private key of the owner wallet was compromised. However, the explanation provided by the Lucky Star Currency admin does not mention that a privileged wallet was compromised. Until CertiK acquires more evidence, we will continue to assess this incident as an exit scam.

The Lucky Star Currency Project

CertiK can confirm that the LSC project uses the X account handle is @AstrAstrol75591 where we can see the project’s website and Telegram handle, as well as the LSC token contract.

The project’s website is currently down. However, the Telegram group is still open. From here, we can learn a more about the entity controlling the Lucky Star Currency token. The Telegram group confirms that the AwardCenter and NFTMerge contracts are owned by the Lucky Star Currency project. In the following Telegram posts we can see the project’s admin confirming the contracts that the project own.

Based on videos posted in the project’s Telegram group, we can assess that Lucky Token Currency likely has physical offices in Shenzhen. In the following post we can see an entrance to an office which says “Shengxin Shenzhen Community”:

Exit Scam Statistics in 2023

September 2023 saw the lowest number of exit scams resulting in the lowest amount lost. The month saw 17 incidents causing a $1.8 million loss for investors. The Lucky Star Currency incident is the third largest exit scam that CertiK recorded since August 2023 and is the largest incident when combining all exit scams in September and October 2023. The overall lost in October from exit scams has already eclipsed the overall losses in September with $2.8 million lost to exit scams so far from six incidents.

The Lucky Star Currency exit scam is the 19th largest incident in terms of USD value lost in 2023, just behind another Chinese based exit scam called IEGT. This exit scam is also the 282nd incident meaning that we will likely surpass the overall number of exit scams seen in 2022 which totalled 314 incidents. At the same time last year, there were only 237 incidents recorded. Despite the bear market, CertiK has detected an increase in exit scams which is likely due to scam projects taking advantage of the hype around new protocols coming online such as Arbitrum and zkSync as well as scammers mimicking these protocols with fake tokens.

Conclusion

CertiK will continue to categorize this incident as an exit scam since the claims from the Lucky Star Currency team of a hack lack detail or evidence. This incident occurred due to centralization risks in the Awards Center and NFT Merge contracts which allowed the owner to drain all LSC tokens that were held by the two smart contracts. A CertiK audit would highlight this issue as a major risk. When visiting Skynet, users can see how centralized a project by selecting a protocol and navigating to the Governance Strength. From here you can obverse key metrics through Centralization Scanning. Be sure to visit skynet.certik.com to help you do your own due diligence.