TL:DR
On Tuesday, June 21st, 2022, the LV Metaverse (LV PLUS) was rugpulled, causing a loss of around $1.5M USD. At writing, there have been no official statements on any social media accounts run by the LV Metaverse in reference to the rugpull. CertiK experts assessed that there were several wallets that were involved, with the largest being ~$1,031,863 BUSD being dumped from a single wallet related to the LVP deployer.
Summary
On Tuesday, June 21st, 2022, the LV PLUS token suffered a loss of around $1.5M. LV PLUS claimed to be part of the “LV Metaverse.” They have yet to publicly acknowledge the attack on any of their social platforms, but continue to post their regular announcements about trading the coin.
The LV Plus token was to be the foundation of the LV Plus blockchain, which allows users to interact in various unspecified ways. Token holders can participate in computing and storage as well as gas and transaction fees on the network. The tokens were also supposed to be available for applications and games.
At this time, the loss is being reported as a rugpull due to the wallet that dumped the tokens and causing the crash having received the tokens directly from the LV Plus contract deployer. However, it seems there have been about 5 major wallets that dumped tokens after receiving them from the deployer wallet, with the largest wallet dumping ~$1,031,863 and totaling nearly ~$1.5 Million in total taken in the rug.
The wallets then sent these funds to what appears to be a profit aggregation account, where we can see they have profit from other additional rug pulls and sources coming to nearly ~$7 Million total at time of writing. Funds are currently still in the scam-profit aggregator wallet.
LVP Token was not in any way associated with Louis Vuitton brands, and had many indicators of being a scam as well - 18.7% tax on selling, and high centralization. Not quite a honeypot but feels close real close with that tax.
Exploit Transactions
Scammer Wallet A - 0x1e156…
Estimate: $1,031,847 over 34 transactions
Scammer Wallet B - 0x9730b…
Estimate: $335,061.43 over 12 transactions
Scammer Wallet C - 0x91742… TBD
Scammer Wallet D - 0x4d115…
Scammer Wallet E - 0x2c48b…
Attack Flow
Deployer sends money to 3,000,000,000,000,000 LVP tokens to 0x4bf19… 8 days ago
Then Scammer Wallet A receives 150,000,000,000,000 LVP tokens 0x4bf1980 and starts selling periodically on Jun-21-2022 05:40:10 PM +UTC.
Similarly Scammer Wallet B receives liquidity tokens from the token contract and then then sells the tokens:
Contracts Vulnerability Analysis
Centralized dumping from deployer wallet related addresses and the contract has an EOA (externally owned address) contract hardcoded to receive fee tokens from transfers.
Profit and assets tracing
Many related addresses to the incident but roughly $1.5 Million was taken from LVP; and in the aggregator profit wallet we can see approximately ~$7M USD related to other scams and some other unknown sources.
Can we spot the issue during the audit?
Yes, it’s an initial token distribution issue and centralization issue. Deployer wallet sends tokens to malicious scamming wallets.
