Summary
On the 25th of August, Magnate Finance executed an exit scam ( Rug Pull ). The scam was made possible when the developer modified the price oracle address to manipulate the prices directly. The TVL was dropped by around $6.4 Million.
The deployer is also linked with past rug pulls of –
- Solfire’s $4.8 Million on January 23, 2022
- Kokomo Finance’s $5.5 Million on March 27, 2023
The complete scam happened on BASE chain, an Ethereum L2 built by Coinbase.
Vulnerability Analysis & Impact
On-Chain Details
Deployer Address: 0x4bdac0b6eeda6211f43178899cb73670b1952c40
Mainnet – 0x4bdac0b6eeda6211f43178899cb73670b1952c40
Contract Address: 0x6a8fbf751c92a8c922428c0ffc5a89e709f7e505
Attack Transaction: 0x39555e75d76b294248a434fdfe9640e0cfe3f22bd7fceb675fd4ef4b5e02f719
Exit Scam Steps
- The scammer first changed the provider through their Multi-Sig Wallet
- After then, the address of Price Oracle was changed to directly manipulate the price.
- Then they used cDAI to borrow other tokens and exited the scam.
After the Incident
- After the hack, they quickly deleted their website and social media accounts, including Twitter, Telegram and Website.
- The scammer has successfully bridged the stolen funds to different chains. See here.
- These are the addresses on the BASE chain where the funds are currently residing
0xa146dffe1c304a8a3de74c460ffe8dc73e5ce6e1
0x0664faf5afecde5958d8b32258e012c3788006a3
Price Impact
The price of MAG tokens dropped by 86% after the incident.
The Imperative Need for Web3 Security
As a Web3 security firm QuillAudits, we embrace the essence of decentralization by offering transparency, and we want that spirit to shine through in our services too.
62 Views
