Introduction

On 12 January, 2023 CertiK detected a suspicious deposit of funds into Tornado Cash. We traced the origins to an externally owned address (EOA) 0x5695E. This address creates two contracts named CirculateBUSD and CirculateWBNB along with an additional unverified contract. The Start Trade function within the Circulate contracts contained a third party dependency that transfers funds to the deployer and drains the contract. Upon further investigation, we observed the same actions on similar contracts on Avalanche deployed by 0x5695E. In total, the exit scam amounts to approximately $2.5m.

Event Summary

On 12 January, 2023 at around 07:50 AM +UTC, CertiK detected large sums of ETH being deposited into Tornado Cash. Afterwards, we observed another wallet depositing large amounts of ETH at 08:05 AM +UTC. Both of the Ethereum wallets received funds from 0x5695E on the Binance Smart Chain who had bridged ETH through Multichain Router.

EOA 0x5695E created three contracts; CirculateBUSD, CirculateWBNB and an unverified contract which is referred to as the “SwapHelper”. We identified the exact same contracts on Avalanche but were named CirculateUSDC and CirculateWAVAX. We have not been able to link these contracts to an off-chain entity at the time of writing, however the contracts appear to be yield generating contracts that offer a return for customer deposits.

The Start Trade function contained a third party dependency with the SwapHelper contract. Within the SwapHelper, EOA 0x5695E was set as the recipient meaning that once Start Trade is called in the Circulate contracts, funds deposited into these contracts are transferred to 0x5695E. This means that the incident is highly likely an exit scam since the deployer set their own address in the SwapHelper contract, which allowed them to seize the drained funds.

Contract Analysis

The Circulate contracts were deployed on 09 January, 2023 by 0x5695E and began receiving deposits from multiple EOAs. The contract initially appeared to be working as planned, with investors seemingly being able to Deposit and Claim All Rewards. On 11 January, 2023 1086 unique addresses transferred funds into the CirculateBUSD contract, with 267 unique addresses transferring into CirculateWBNB.

Image: CirculateBUSD Contract Analytics: bscscan

Image: CirculateWBNB Contract Analytics: bscscan

Over a period of two days, the CirculateBUSD contract accumulated over $2 million worth of BUSD with the CirculateWBNB contract receiving ~$307,000.

Vulnerability

The attack was made possible due to a third party dependency in the Start Trading function within the Circulate contracts. When EOA 0x5695E calls the Start Trade function, the SwapHelper contract calls 0x6343756 signature.

Image: Start Trade Transaction Analysis: bscscan

The SwapHelper contract is unverified, however after decompiling the code we see that within signature 0x6343756, the deployer wallet (0x5695E) is set within Storage_6, with the amount of 2m BUSD set in Storage_7.

Image: Signature 0x6343756 Decompiled.

Image: Storage_6 containing Deployer EOA.

This means that the when the Start Trading function is called, the 0x6343756 signature in the swap helper checks if the 2 million BUSD is present and then transfers to the address stored in Storage_6. This is why 2 million BUSD is transferred to EOA 0x5695E in the below transaction:

Image: Start Trade Function. Bscscan

The exact same function was called by 0x5695E on CirculateWBNB which transferred an additional ~$283,000 to the deployer wallet. In addition, the same process took place on the CirculateUSDC and CirculateWAVAX contracts on Avalanche.

Asset Tracing

The funds from BSC and Avalanche were bridged to the Ethereum mainnet before being deposited into Tornado Cash via three EOAs.

Image: Flow Of Funds. CertiK

Conclusion

At the time of writing, it is currently unknown how the scammer in this incident was able to get large investment into their recently created Circulate contracts. However, it is highly likely that the contracts were scams from the beginning due to design bug in the SwapHelper contract. On the whole, third party dependencies in smart contracts present a security risk. Whilst reliance on third parties such as the use of oracles is sometimes unavoidable, developers should avoid these dependencies as much as possible. You can read more about smart contract audits in our blog and how they can help protect projects from many different vulnerabilities.