Introduction
On 6th January 2024, the XKingdom_Tech project stole community funds and deleted their website and all social media presence. In total, the XKingdom_Tech exit scam led to $1.2 million in losses making it one of the largest exit scams we have seen over the past few months. The stolen funds were bridged to Ethereum and deposited into Tornado Cash.
Event Summary
XKingdom advertized itself as a SocialFi and GameFi platform that was built on Arbitrum. The platform provided users with an application to “build kingdoms” on X by interacting with tweets, engaging in quests such as treasure hunts in order to earn project tokens. The project had three ERC-20 tokens as well as an NFT contract.
To participate in the xKingdom project, users would have to borrow() XKING tokens for ETH. Based on on-chain interactions with the xKingdom contracts, it appears that participants in the project could swap XKING tokens for XCOIN as well as claim another project token called XCROWN. The documentation that explains how all of these tokens interacted with each other has been deleted, however it is assumed that XCOIN and XCROWN tokens could be traded for XKING, which is the token backed by users funds.
To gain XKING tokens, users would call borrow() on TransparentUpgradableProxy contract 0xdcd4574e56411090b2a60010565b8e79d907275e. This call would transfer users ETH to 0xdcd which would then receive the XKING from the assumed admin contract 0x4456fb24289642077aD0F4A8b36223CBbE124a13. Although the 0x4456 contract is unverified, we can assess it’s role through a number of setConfig() and grantRole() functions.
This continued until the TransparentUpgradableProxy contract contained over 500 ETH.
The Exit Scam
The xKingdom contracts are unverified and therefore some assessments have been made in this analysis. In this section we’ll analyze the steps that the xKingdom deployer took in the creation of the project, and the steps they took in order to steal funds from xKingdom.
When analyzing contract 0x4456fb24289642077aD0F4A8b36223CBbE124a13, which is likely the projects admin contract, we can see that the deployer calls grantRole() in a number of transactions on the 29th December 2023. In grantRole, the MINTER_ROLE is added to each contract and is represented by 0x9f2df0fed2c77648de5860a4cc508cd0818c85b8b8a1ab4ceeef8d981c8956a6. When decompiling the admin contract, we can assess that for multiple functions to perform their intended operations, 0x9f2df0fed2c77648de5860a4cc508cd0818c85b8b8a1ab4ceeef8d981c8956a6 is required. Below, we can see an example of this. The requirement is also added to the claimETH function
We can see that the role is also given to contract 0xdcd4574e56411090b2a60010565b8e79d907275e in the transaction outlined below.
When decompiling 0xdcd45, we can see that it points to contract 0x8d35840Ca0FCd7D5ccaAA44A9db761906664982A which acts as the proxy admin to contract 0xdcd4574e56411090b2a60010565b8e79d907275e
At 12:52 AM UTC on the 4th January, the xKingdom called upgradeAndCall() which upgraded 0xdcd4574e56411090b2a60010565b8e79d907275e to new implementations.
Although the two implementations are unverified, CertiK did not find any specific change that would allow for an exit scam to take place. We already identified that the centralization risks around the claimETH and retrieveETH functions which also exist in the two new implementations.
The upgrades occur in between a number of failed transactions that the deployer initiated when interacting with the xKingdom contracts.
There is a realistic possibility that the deployer attempted to demonstrate that they were fixing an issue with the project by upgrading to new implementations. Part of the update included changes to the addLiquidity() function which continued to fail when called. The second revision added an extra call to revert() though contract calls continued to fail.
Movement of Funds
The deployer called claimETH() on proxy admin 0xdcd4574e56411090b2a60010565b8e79d907275e and 558.3 ETH was transferred from the proxy admin to EOA 0xeF7DD2264F41107Ba90ec7d3b88444F987d6A13D. After swapping some of the stolen ETH for stablecoins, the deployer bridged 1.02 million USDT and 99 ETH to the Ethereum network. The funds were then transferred to 0xCA1214fa5236E23b6D20aB8563AcA26be3a474c6 which swapped the stolen funds back to ETH and deposited into Tornado Cash.
Conclusion
The xKingdom incident is the second largest exit scam so far in 2024 which has already seen just over $4 million lost to such scams across six incidents. An unfortunate consequence of positive sentiment in markets are the scammers who will look to take advantage of investor hype and deploy malicious contracts. In order to gain a greater level of trust, project’s are able to gain KYC badges through CertiK’s thorough KYC process. Project’s who have undergone such verification will have a KYC badge on their profile and represents independent verification of the individuals behind a project.
