Bruno Block was able to use a function within the Oyster smart contract to appoint himself ‘director’ and, as such, mine new crypto tokens, according to Oyster CEO William Cordes.
Unfortunately, during the creation of the Oyster platform, Block’s identity was kept anonymous; indeed, Bruno Block is merely a pseudonym and Block has not made any comments, anonnymously or otherwise, since this news surfaced.
Cordes has expressed great disappointment in Block’s actions, however he has assured investors and token holders that the issue has been dealt with and the appropriate authorities have been informed.
Block made off with at least 3 million ‘Oyster Pearls’ (‘PRL’), which he subsequently moved to KuCoin, a popular cryptocurrency exchange, and sold off.
Allegedly, the 3 million plus tokens were sold for around $300,000.
Earlier today, it was discovered that the transferDirector function was utilized on the Oyster Protocol token contract. This allowed the new director to re-open the ICO for PRL and re-issue new tokens (1 ETH = 5000 PRL / .04 per PRL). The individual in question then sent these tokens (upwards of 3M PRL) to KuCoin where the tokens were market sold. They were able to extract ~$300,000 in funds prior to us being able to shut down trading and withdrawals on KuCoin.
Despite Oyster passing three separate smart contract audits, we were told by Bruno Block, the original founder and chief architect of the project, that the directorship of the token contract had to remain open so that the peg could be adjusted over time. This ultimately turned out to be a trapdoor mechanism in the contract that was eventually exploited. This contract was written by Bruno Block prior to the ICO, at which point Bruno was the only member of the team. We relied on the auditors involved here for assurance that the smart contract was safe. Bruno was the only one who had the ability to transfer directorship within the PRL smart contract. After our initial review, we are inclined to believe that these were solely the actions of Bruno Block and that he did this now to avoid detection from KuCoin KYC procedures (that will be implemented on November 1st). These KYC procedures would have limited withdrawals on Non-KYC’ed accounts to no more than 2 BTC per day and would have prevented this from happening. This was well-orchestrated and well-executed (at a time when he knew a majority of the KC team would be offline). This also caught the entire team outside of Bruno Block by surprise, as the team collectively holds ~5% of the total supply in personal wallets. The team has been working tirelessly on this since day 1, without pay at some points in time. This project has been built on the back of hard work and raw determination and we will not let Bruno’s role as a bad actor in all of this undermine a project that the entire rest of the team is completely devoted to.
For those of you holding PRL, your PRL holdings are safe. We are still evaluating our options, but will most likely be executing a contract swap on the block just prior to this all happening (e.g. All 98.5 million PRL prior to the contract vulnerability will be exchanged on a 1:1 ratio to PEARL (or something to that effect)). We will also be evaluating how we can help those that were taken advantage of from this incident. More details to come here but we will do our best to make everyone whole. Despite the losses, $300k only represents ~1.5% of our market cap prior to this all transpiring. While this is far from ideal, this will most definitely not be a deathknell for the project.
So where do we go from here?
We are continuing to investigate this but could use your help along the way. Here are the withdrawal addresses that Bruno withdrew the funds he sold on KuCoin to:
We are also interested in obtaining any information that folks may have around Bruno’s potential identity. Despite working alongside him for the last 10 months, Bruno has always maintained his anonymity. After I took over the CEO role, Bruno’s activity within the project dropped off sharply. If you have any information on who Bruno may be or where these funds may be directed towards, please reach out to us via e-mail to discuss further.
In the interim, our team will be working around the clock to remedy this situation. We don’t know why Bruno did what he did or what his intentions were at the end of the day, outside of profiting from a loophole that he intentionally left in the smart contract. While I still take full responsibility for this all transpiring, I had no reason to believe Bruno would do something like this to harm the project and much of the work that he had a significant role in creating. We will not let his selfish actions today damage the long-term viability of the project.