TL;DR
On May-24-2022 05:48:30 PM +UTC, the DecentraWorld token price dropped over 97%. DecentraWorld project was identified as rugpulled, leading to a little over >$1M USD loss (~3127 BNB). Social media accounts have been removed following the rug.
Event Summary
DecentraWorld DEWO token price crashed, while the official website and Twitter account of the project were deleted. The price drop was unexpected as the project, and its native token had seen a very positive development trend up to that moment. The drop resulted from a rug pull worth over $1 million after the founding team drained the treasuries of the project and stole 3,127 BNB. Some users also discovered that BNB Chain is to blame for building this situation and making the rug doable.
Some Twitter users alleged that the rug took place hours after SafeMoon whitelisted the DecentraWorld tackle as a Safeswap lover. Although this has not been confirmed, SafeMoon did formally ban the wallet handle affiliated with the rug pull.
The project promised: “an ecosystem of dapps with privacy protocols by default”. Below is the archive of their old website:
DecentraWorld - Increasing Privacy Standards In DeFi
Attack Technical Analysis
The deployer launched the DecentraWorld token ($DEWO) in this transaction, with total supply of 100,000,000.
The deployer distributed some tokens and the rest were left in the deployer’s address.
The deployer accumulated tax/fees (in the form of DecentraWorld token) from DecentraWorld token transferral.
The deployer sold 31,825,441 DecentraWorld token gained from step 2 and 3 for $1M in transaction 0x94018
Contract Vulnerability Analysis
Typical security concern with the Initial token distribution is a centralization related risk that the project holds the majority of the tokens minted during the deployment phase, which may be sold without reaching the consensus of the community.
Furthermore, there are fees accumulated in the deployer’s address, which is also a centralization related risk.
Profit and Assets Tracing
In total, 3,127 BNB ( ~ $1 M USD) was rugged to the deployer’s address. The deployer moved the funds(3128.24 BNB) to address 0x3b9dc. The funds were held in address 0x3b9dc.
In the PancakeSwap V2: $DEWO 3, around 1831 BNB was decreased.
Would we spot the issue during the audit?
This issue can be identified and noted during the audit as “initial token distribution”. Initial token distribution is a common pattern that the project team will set or initial funding in the beginning, whereby the team decides how many tokens they will give, grant or sell, and to whom.
