Oyster Protocol (PRL) founder exit scams with contract backdoor
So long and thanks for all the fishiness.
Oyster Protocol was, and possibly still is, designed to solve the current problem with websites losing revenue to adblockers. It was, and possibly still is, intended to function as an alternative revenue source for websites by utilising its users' computing power in a non-intrusive way for the purpose of providing computing resources for a decentralised computing network.
In a clam shell it was, or possibly still is, a form of browser-based cryptocurrency mining that uses the consumed computing power for something other than mining Monero.
But now the anonymous project founder and chief developer, known only as Bruno Block – presumably not his, her or their real name – has made the executive decision to exit scam, by emptying $300,000 of PRL from a platform smart contract, selling it on KuCoin and then going radio silent.
The exit itself took the form of Bruno re-opening the crowdsale contract, buying PRL tokens from it, then taking the funds back from their own contract and buying more. It was essentially free money in the form of PRL tokens which could then be sold on exchanges.
An unusual situation
This is surprising given the relative prominence of Oyster Protocol, which enjoyed a market cap over $200 million near its peak and has consistently tended to ride above $100 million throughout the year. Other than the rarity of such a high profile project being knocked down by its own founder and lead developer, the remaining Oyster Protocol team members have noticed some other interesting pieces in their postmortem:
- The backdoors used for the exit were built in right from the start, written by Bruno. Security audits uncovered them, but Bruno used their trusted position to insist that they were necessary and should remain.
- The exit took place now, with KuCoin planning to implement KYC procedures on 1 November. Another few days and this may not have been possible.
The backstory seems to be that Bruno created the project with the intention of giving it a red hot go, hiring on more team members, investing in multiple security and smart contract audits, building a devoted community and generally doing things right.
At the same time, they also made sure to leave a backdoor so they could take the money and run later if it all goes south. The introduction of KYC procedures at KuCoin may have forced their hand, and created a now or never moment. That Bruno opted for the "now" option over a potential $300,000 might suggest a lack of faith in the project.
"Despite Oyster passing three separate smart contract audits, we were told by Bruno Block, the original founder and chief architect of the project, that the directorship of the token contract had to remain open so that the peg could be adjusted over time. This ultimately turned out to be a trapdoor mechanism in the contract that was eventually exploited. This contract was written by Bruno Block prior to the ICO, at which point Bruno was the only member of the team," explains Oyster Protocol CEO William Cordes.
"We relied on the auditors involved here for assurance that the smart contract was safe. Bruno was the only one who had the ability to transfer directorship within the PRL smart contract. After our initial review, we are inclined to believe that these were solely the actions of Bruno Block and that he did this now to avoid detection from KuCoin KYC procedures (that will be implemented on November 1st). These KYC procedures would have limited withdrawals on Non-KYC'ed accounts to no more than 2 BTC per day and would have prevented this from happening."
Down but not necessarily out
In the wider scheme of things, the crew at Oyster Protocol notes that $300,000 represented only about 1.5% of the market cap at the time. But since news broke PRL prices quickly plummeted by over 65%.
"While this is far from ideal, this will most definitely not be a deathknell for the project," Cordes insists.
The team is also interested in obtaining any information that would lead to the unmasking of Bruno Block, he says.
"Despite working alongside him for the last 10 months, Bruno has always maintained his anonymity. After I took over the CEO role, Bruno's activity within the project dropped off sharply. If you have any information on who Bruno may be or where these funds may be directed towards, please reach out to us via e-mail to discuss further.
"In the interim, our team will be working around the clock to remedy this situation. We don’t know why Bruno did what he did or what his intentions were at the end of the day, outside of profiting from a loophole that he intentionally left in the smart contract. While I still take full responsibility for this all transpiring, I had no reason to believe Bruno would do something like this to harm the project and much of the work that he had a significant role in creating. We will not let his selfish actions today damage the long-term viability of the project."
The odds of any one cryptocurrency project succeeding in the still-immature cryptocurrency world are slim. And when something like this happens, and a project needs to regain confidence and keep the lights on with a sunken token price, the odds get even slimmer.
The good news is that Oyster has now ditched its suspiciously anonymous lead developer, which might inspire a bit more confidence going forwards. In hindsight, it was almost like Bruno Block was up to something.
Disclosure: At the time of writing the author holds ETH, IOTA, ICX, VET, XLM, BTC, ADA