Back to all stories
Reports
Incident Analysis
Revisiting DecentraWorld
7/1/2022
Revisiting DecentraWorld

TL;DR

On May-24-2022 05:48:30 PM +UTC, the DecentraWorld token price dropped over 97%. DecentraWorld project was identified as rugpulled, leading to a little over >$1M USD loss (~3127 BNB). Social media accounts have been removed following the rug.

Event Summary

DecentraWorld DEWO token price crashed, while the official website and Twitter account of the project were deleted. The price drop was unexpected as the project, and its native token had seen a very positive development trend up to that moment. The drop resulted from a rug pull worth over $1 million after the founding team drained the treasuries of the project and stole 3,127 BNB. Some users also discovered that BNB Chain is to blame for building this situation and making the rug doable.

Some Twitter users alleged that the rug took place hours after SafeMoon whitelisted the DecentraWorld tackle as a Safeswap lover. Although this has not been confirmed, SafeMoon did formally ban the wallet handle affiliated with the rug pull.

The project promised: “an ecosystem of dapps with privacy protocols by default”. Below is the archive of their old website:

DecentraWorld - Increasing Privacy Standards In DeFi

Attack Technical Analysis

  1. The deployer launched the DecentraWorld token ($DEWO) in this transaction, with total supply of 100,000,000. bQxyQW zWhIvlkz7KrNWmmUHmM6o4gz zUB5KWkhR6qnG Zj3yPJXktD Kr1fKTiPuzyjwd6GLvFCSAKcCR6rSB2ytYXPUOUAPmA88FlLRNqZyqXIdk5eRKzeinBFO1EddVUjr96FRsAgEAUsw

  2. The deployer distributed some tokens and the rest were left in the deployer’s address.

sjGRSj7KU 5FBWPIjq39aJCjVVHsZfbM3zGPmQSQv-cLBRUiFrzaZdZkFWAXteZzq6Tn1OOqQGxV09MhqapBhv7Mfr6rNIGbvZgWhtRTAhw-CPYZnOWwpS4Wd8bCAITRBqvxFJmkKBTgA3e26Q

  1. The deployer accumulated tax/fees (in the form of DecentraWorld token) from DecentraWorld token transferral.

  2. The deployer sold 31,825,441 DecentraWorld token gained from step 2 and 3 for $1M in transaction 0x94018

Contract Vulnerability Analysis

Typical security concern with the Initial token distribution is a centralization related risk that the project holds the majority of the tokens minted during the deployment phase, which may be sold without reaching the consensus of the community.

10QERqzVYwnv0FS4S2vUjLWxUpvTItf4JoJwkBdhlCqeuvLraK6QC0g4VOE5HI0tMAKNERC-L2LAtUAwzumEx8pI6ZJIbFk23NrGC X183BJm9QkoBTami1 y9JKDh86yEfyjnf8K0iKqCx8xw

Furthermore, there are fees accumulated in the deployer’s address, which is also a centralization related risk.

P29QH6dzFXepT4kbQoP5ix-VYOlNiTKsfRagFFyK06tONC wNER uizEXmG45txjCeLE7tgYjYphzXH-xWRAhoBVcGz7a2Y9C7yRYwE2y3y-9i-neS raOwUmvRzUGG62NJtWhny rm50Fqkcg -e9m27QwemyW5xtX9aURvsBhkchOeiIVJHOiZ58HSaAPqVFqKixudhy-BeIyJogj1T7txcEg3ZfjOMBOHBY2euaHwZFwoppeIH6Ixlx5WiRWH0TC5eozqvsK7I-3k PqgmVxKcJSJXpevQ1j8w

Profit and Assets Tracing

In total, 3,127 BNB ( ~ $1 M USD) was rugged to the deployer’s address. The deployer moved the funds(3128.24 BNB) to address 0x3b9dc. The funds were held in address 0x3b9dc.

In the PancakeSwap V2: $DEWO 3, around 1831 BNB was decreased.

Would we spot the issue during the audit?

This issue can be identified and noted during the audit as “initial token distribution”. Initial token distribution is a common pattern that the project team will set or initial funding in the beginning, whereby the team decides how many tokens they will give, grant or sell, and to whom.