SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

avatar
SharkTeam
1 years ago
This article is approximately 934 words,and reading the entire article takes about 2 minutes
Multiple Rug Pull incidents have occurred recently, and the SharkTeam security research team has conducted a detailed analysis of these incidents. During the analysis process, we discovered that the Rugpull factory contract on the BNB Chain has initiated more than 70 Rugpulls in the past month. Next

In recent weeks, there have been multiple Rug Pull incidents, which the SharkTeam security research team has analyzed in detail. During the analysis, we discovered that the Rugpull factory contract on the BNB Chain has initiated over 70 Rug Pulls in the past month. Next, we will conduct an analysis on fund tracing, fraudulent behavior patterns, and other aspects.

Due to space limitations, we will primarily analyze the events related to the SEI, X, TIP, and Blue tokens. These tokens are created through the createToken operation of the token factory contract 0xDC4397ffb9F2C9119ED9c32E42E3588bbD377696.

In the createToken function, the following parameters are required to create the token: token name, token symbol, precision, supply, token owner address, token pair factory contract address, and BUSD-T stablecoin address. Additionally, the token pair factory contract used the PancakeSwap factory contract, and each token has a different owner address.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

I. Fund Tracing

The owner addresses, symbols, and contract addresses of the SEI, X, TIP, and Blue tokens are shown in the following image. The owner addresses for X, TIP, and Blue tokens are:

0x44A028Dae3680697795A8d50960c8C155cBc0D74.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

The funds in 0x44A028Da come from 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3, and the address 0x0a8310ec has funds coming from multiple EOA accounts, with a common address.

0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

The following is relevant information about token factory contract 0xDC4397ffb9F2C9119ED9c32E42E3588bbD377696. The factory contract was created by address 0x1dE949eac4b5fc1B814E733CD56AE65DfF1bcEEF. Funds from address 0x1dE949ea come from multiple accounts, one of which is the source address of funds 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

The source of funds for address 0x072e9A13 is as follows: Address 0x1dE949ea has partial fund interaction. Other addresses also created factory token contracts and are some Rug Pullers of tokens.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

For example, funds from 0x04067B4fcC9f3d99aC5211cfE8d3e8687B0401d3 come from 0x6ae8F98830894518c939B0D0A5EF11c671e9DFCa. And 0x6ae8F988 created factory contract 0xe83EbBb4acc3d8B237923Ee333D04B887ca1a008. The same token creation behavior was also carried out by the factory contract:

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

We choose one of the tokens for analysis and find that the token has a Rug Pull behavior.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

The funds of 0x6ae8F988 come from 0xa6764FBbbFD89AEeBac25FCbB69d3E9438395e57, and the funds of this address come from 0xE5A5c50980176Cc32573c993D0b99a843D77BC6E. The funds of address 0xE5A5c509 are provided by the Tornado Cash address, and the funds are 10 BNB. In addition to the funds provided by Tornado, there are also profits obtained through phishing and token Rug Pull.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

In addition, the above addresses play an important role in the Rugpull factory fraud model.

II. Rugpull Factory Fraud Model

Let's take a look at the Rugpull factory fraud models of SEI, X, TIP, and Blue tokens.

(1) SEI

First, the owner of the SEI token, 0x0a8310eca430beb13a8d1b42a03b3521326e4a58, exchanged 249 SEI at a price of 1u.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

Then, 0x6f9963448071b88FB23Fd9971d24A87e5244451A conducted batch buy and sell operations. Under the buy and sell operations, the token's liquidity significantly increased, and the price also rose.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

Through promotion methods such as phishing, a large number of users were tempted to purchase, resulting in increased liquidity and a doubling of the token price.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

When the token price reached a certain value, the token owner entered the market to conduct a Rugpull operation. As can be seen from the following figure, the entry harvesting period and prices were different.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

(2) X, TIP, Blue

First, X, TIP, and Blue token owners exchanged 1u for the corresponding tokens using 0x44A028Dae3680697795A8d50960c8C155cBc0D74. Then, similar to Sei tokens, batch buy and sell operations were conducted by 0x6f9963448071b88FB23Fd9971d24A87e5244451A. Under the buy and sell operations, liquidity significantly increased, and the price rose.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

Then, through methods such as phishing, a large number of users were tempted to make purchases, resulting in increased liquidity and a doubling of the token price.

Similar to SEI, when the token price reached a certain value, the token owner entered the market to conduct a Rugpull operation. As can be seen from the following figure, the entry harvesting period and prices were different.

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

The volatility charts of SEI, X, TIP, and Blue tokens are as follows:

SharkTeam: Analysis of the Rugpull Factory's Black Industry Chain

We can learn from the fund tracing and behavior patterns:

In the fund tracing content, the funds of the token factory creator and token creator come from multiple EOA accounts. There are also fund transfers between different accounts, some of which are transferred through phishing addresses, some obtained through previous token Rugpull behaviors, and some obtained through platforms like Tornado Cash for mixing coins. Multiple methods of fund transfers are used to build a complex and intricate financial network. Different addresses have also created multiple token factory contracts and have produced a large number of tokens.

When analyzing token Rugpull behaviors, we found that address 0x6f9963448071b88FB23Fd9971d24A87e5244451A is one of the sources of funds. Batch operations are also used when manipulating token prices. Address 0x072e9A13791f3a45fc6eB6AD38e6ea258C080cc3 also acts as a provider of funds, providing corresponding funds to multiple token holders.

In summary, this series of behaviors is behind a well-organized Web3 scam group, constituting a black industry chain, mainly involving hot topic collection, automatic token issuance, automatic trading, false propaganda, phishing attacks, Rugpull harvesting, and other processes. They occur frequently in BNBChain. The Rugpull false tokens issued are closely related to hot industry events, with strong confusion and incitement. Users need to remain vigilant, maintain rationality, and avoid unnecessary losses.

About Us

SharkTeam's vision is to protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from around the world, proficient in the underlying theories of blockchain and smart contracts. They provide services including on-chain big data analysis, on-chain risk warning, smart contract auditing, and encrypted asset recovery. They have also built a platform called ChainAegis for on-chain big data analysis and risk warning. The platform supports unlimited levels of deep graph analysis and can effectively counter the risk of Advanced Persistent Theft (APT) in the Web3 world. They have established long-term partnerships with key participants in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, Polygon, OKX, Huobi Global, imToken, ChainIDE, and more.

Official website: https://www.sharkteam.org

Original article, author:SharkTeam。Reprint/Content Collaboration/For Reporting, Please Contact report@odaily.email;Illegal reprinting must be punished by law.

ODAILY reminds readers to establish correct monetary and investment concepts, rationally view blockchain, and effectively improve risk awareness; We can actively report and report any illegal or criminal clues discovered to relevant departments.

Recommended Reading
Editor’s Picks