Play2Earn has continued to attract attention and investors despite the cryptocurrency bear market. As innovative as it is, play2earn comes with its defects and limitations partly due to bad tokenomics, rogue team/devs, exploits, hacks, etc…
We will not be talking further about the cryptocurrency or play2earn market overview and projections but will go straight to the point of our reason for this episode which is about a recent rug pull involving a play2earn project. Rug pulls have become very rampant in this space and the play-to-earn gaming industry has attracted many.
Read Also: Crypto Market overview for 2022
In this article, we will be taking a look at Citizen Finance the owners of the Metalands play-to-earn game which currently has a playable demo. Below is a recent gameplay video from Metalands.
On Tuesday, July 12th at about 1:57 am (WAT) an announcement was posted on the Citizen Finance telegram announcement channel. The contents of this announcement, however, weren’t the much anticipated public demo launch the Citizen Finance community has been waiting for since November 2021 but it was that of a heist, or in this case, we can call it a “Rug Pull”.
The Citizen Finance Announcement
According to the announcement, two smart contracts that held a total of 2.4 million $CIFI one on the BSC Smart Chain and the other on the Polygon Chain were compromised and the tokens were stolen. These tokens were transferred to another wallet and then dumped directly into the market for 244 $BNB, 57,000 $Matic, and $7000 $USDC respectively.
@binance @zachxbt @HuobiGlobal @okx Please take note of this addresses
0x083e958DB271a5Ba105C0878a94507fe37F25446 BNB chain
Attacker stole 57k $MATIC, 244 $BNB and 7k USDC@0xPolygon @BNBCHAIN @kucoincom
— Citizen Finance (@citizen_finance) July 12, 2022
$CIFI token value after the Rug Pull
While the $CIFI token value has continued to struggle for the past three months after the migration to V2. This “Rug Pull” further plummeted the token price to a new all-time-low price of $0.015 which is equivalent to $1.5 in V1 of $CIFI token. But then who is this smooth criminal that was able to pull this off? We will be finding that out next.
Who pulled the $CIFI Rug?
Cryptocurrency exploits remain an area of concern for many investors because in most cases the exploiter remains anonymous and no one knows who carried out the exploit. The Lazarus group from North Korea is the most popular hacker people believe to carry out most crypto hacks but in this case, we would narrow down the suspects to two individuals and then a third if the two individuals were targeted by an external party.
1. Alexis: Our first suspect is the project owner like Mirabel, a community mod would call him but we prefer addressing him as the CEO of Citizen Finance. The said contracts that were compromised were controlled by only two individuals, and Alexis was one of them. Although these contracts were not multisig, which means either of the two parties controlling it can comfortably approve transactions and carry out whatever actions they dimmed fit without the other needing to approve or sanction it.
2. Jaysun: This is the second suspect and also one of the developers actively working on the project. According to Alexis, Jaysun is the only person apart from him that held private keys to the two compromised smart contracts. Remember these contracts aren’t multi-sig. Two important things to note here are: Jaysun created both smart contracts and is also the only person that can call the emergency withdrawal function on both of them. Jaysun remains a prime suspect until proven innocent.
When I contacted Jaysun on LinkedIn he claims to be innocent and has no information about the exploit and subsequently stopped answering further questions put to him.
This is Jaysun’s LinkedIn profile. Please note he recently removed his profile picture after the exploit was reported.
3. Hackers: like every exploit, in the cryptocurrency space the first culprits that come to mind are hackers who unfortunately remain anonymous. But in this case, how would hackers have gained access to the private keys of the two compromised smart contracts? Another thing that can come into play here is if either Alexis or Jaysun were targeted by hackers who stole these private keys unknowingly from them and went further to withdraw tokens from these contracts to dump them into the market.
It is common practice for hackers to target stealing valuable information from unsuspecting victims commonly through phishing websites. But did Alexis or Jaysun report being targeted by hackers? The answer is “NO”.
Conclusion – our thoughts
Rug Pulls have become very successful due majorly to the anonymous nature of blockchain technology. Wallet addresses and blockchain transactions do not carry a name tag or descriptions before being approved. But alternatively, transactions can be tracked to exchanges, and wallet addresses of criminals can be blacklisted on these exchanges and further stopped from withdrawing their loot.
Centralized cryptocurrency exchanges on the other hand have been very slow to act or entirely not cooperative in cases where hacks or exploits are reported, and funds sent to their exchanges by hackers. Presently the funds stolen from the citizen finance rug pull are still sitting in the wallet three days after the heist. You can view the funds here.
Law enforcement on the other hand still yet to understand how cryptocurrency works and most times believe they hold no value due to the unregulated nature of cryptocurrencies. So for them, there’s no point trying to recover your stolen magic internet money. Another factor here is a limitation due to jurisdiction. For instance, if a project is based in Dubai and someone in China steals from it, how will a complaint be filed against the suspect and an investigation carried out?
We would love to appeal to the person or group of persons that compromised both wallets to please return the stolen funds and maybe as compensation strike a deal with the Citizen Finance team to keep some of the looted funds while exposing the loopholes in the contracts as a reason for the exploit if that was the case. This is what whitehat hackers do. Overall this would be good for the Play-to-earn gaming industry and the cryptocurrency industry at large.
PS: After a couple of burst up with investors and admins of Citizen Finance. I would like to categorical state the following:
1. This is an open investigative article with no malicious intent to malign or undermine Citizen Finance or its team members.
2. The three suspects of the $CIFI rug pull remain innocent until any of them is found guilty by law enforcement or blockchain security firms handling the investigation.
3. This article is not a FUD campaign.
4. If you have any suggestions or information that could help, please comment on the article.