Something Fishy at PRL as Founder Steals Tokens via “Trapdoor”

Reading Time: 2 minutes

Cryptocurrency Oyster Pearl suffered a catastrophic hack yesterday, as a “trapdoor” allegedly set by the founder was exploited, causing the price to drop 65% within minutes. Social media was very quick to report the strange price action, citing an exit scam by the team or a hack as the most likely cause of the sudden drop. Exchanges were quick to terminate PRL trading, but not before the damage was done and the perpetrator had walked away with around $300,000 worth of BTC and ETH.

Through the Trapdoor

According to a blog post on the project website, the exploit was built into the PRL code by the original founder and chief architect, who went by the pseudonym Bruno Block. Block apparently utilized a function in the smart contract known as ‘transferDirector’ that allowed one person, himself, to covertly re-open the ICO and issue at least 3 million new tokens. These new tokens were then sent to the KuCoin exchange where they were quickly sold.
Despite passing three separate smart contract audits, the transferDirector mechanism was either not spotted or not reported as a potential exploit by any auditor. It believed that Block performed the action because KuCoin’s incoming KYC regulations, due November 1, would have restricted how much he could withdraw without revealing his identity.

Who Watches the Watchmen?

Oyster Pearl seems likely to recover from this attack, as the extra coins represented only 1.5% of PRL’s market cap. Yet, this incident does knock the credibility of the PRL project and shines a light on some worrying aspects of the blockchain industry as a whole. Firstly, the fact that the exploit went unnoticed or unreported by three different smart contract auditors illustrates that those charged with oversight of the space aren’t necessarily up to the task. This perhaps isn’t surprising with such a new technology, but standards need to be raised quickly before other potentially bigger projects suffer similar fates. Secondly, projects need to take identity more seriously. Block refused to divulge his identity to anyone on the project and, while hindsight is 20/20, if someone has the keys to the house, you need to know who they are where to find them.

A Wake-up Call for the Entire Space

Unlike the events at MapleChange this week, the Oyster Pearl project doesn’t seem to have been killed off by Block’s actions, but it acts as a wake-up call to all project managers and investors that this is still a new and emerging technology. As a result, nothing is 100% safe despite how it might appear, meaning that precautions, rather than liberties, should be taken.