Text | Kyle
Edit | Wen Dao
Recently, Beijing Lian'an disclosed a strange additional issue.
The gold chain (HJL) project party recently noticed on the Ethereum browser that there are some unknown addresses holding HJL tokens outside the total issued amount of the project. Beijing Chain Security audited the contract code and found that the “one-key coin issuance” platform easy tokens found by the project party were sneaking on the contract code and secretly issued 1% of the total amount of HJL tokens and stolen it to the specified address to seek cash out. .
According to Beijing Lianan, in addition to HJL, there are other project parties such as MH, CRS and LP.
There is a risk in the third-party currency issuance platform that secretly opens the "back door", and project parties using third-party tools to issue currency are also questioned: even the basic work of issuing tokens with smart contracts is difficult to complete independently, and the back door is also arranged in the contract. Can't find out, how can such technological literacy undertake the development of blockchain projects?
The inexplicable additional issuance not only exposed the problem of “back-door coin-making” and “cash out” by the “fool” coin issuance platform, but also put a number of “three noes” projects with no official website, no white paper, and no technical strength on the foreground. Once these projects are listed on the exchange, investors in the secondary market are very likely to become the ultimate "connectors".
"One-key coin issuance" platform secretly issues project coins
On March 25, the blockchain security company Beijing Chain Security disclosed that the Gold Chain (HJL) project party found on the Ethereum browser that the number of project tokens HJL was more than the total amount issued. It has been verified that the extra coins are neither coins of the same name nor counterfeit coins, but more like appearing in an unknown address out of thin air.
The project's publicity materials show that the total amount of HJL tokens issued is 43 million. But an unknown address beginning with "0xfA6D" once obtained 430,000 tokens at a time, which is exactly 1% of the total HJL issuance.
The strange thing is that this address is neither the project owner's address nor the record of being transferred into HJL tokens. It is impossible to trace the source of this part of HJL through the blockchain browser.
Searching for HJL information, the token was listed on the BJEX exchange on February 28, forming a price on the secondary market. On March 26th, HJL quoted 0.008 USDT. According to this calculation, the HJL value obtained at the address beginning with "0xfA6D" is 3440 USDT, which is equivalent to 24700 yuan.
The address at the beginning of "0xfA6D" appears HJL token out of thin air
Although it only accounts for 1% of the total amount of HJL, this inexplicable coin is equivalent to the white glove of the empty glove, which damages the interests of the project party.
In the end, Beijing Chain Security discovered the clue by querying the HJL coin issuing contract. When the smart contract was deployed on the chain, an instruction to recharge the total supply of 1% tokens to the address beginning with "0xfA6D" was set at the code layer, and The instruction contains the setting that the quietly additional coins are not counted in the total issuance.
After further communication, Beijing Lian'an learned that the project's currency issuance contract was not developed independently, but a one-click currency issuance platform called "Easy Token" was outsourced.
Subsequently, Beijing Chain Security deployed token issuing contracts on the testnet using Easy Tokens. After checking the contract codes, it was found that the platform adopted the same means, secretly issued additional tokens, and also transferred to the address at the beginning of the above "0xfA6D".
At this point, HJL's inexplicable additional incident is falling. The outsourced coin issuance platform acts as a stub in the code, and without informing the customer, it issues and steals 1% of the total amount of the customer's project tokens. Once the client's project is listed, these additional tokens are very likely to be sold and cashed out.
As of March 26, 4 HJL transfers have been completed at the address beginning with "0xfA6D", totaling 330,000.
"Fool-style" coin issuance is easy to let the project party streak
It is worth noting that in the address beginning with "0xfA6D", in addition to HJL, there are multiple ERC20 tokens such as Moneyhome (MH), Phantom Matter (PHTM2), CRS (CRS), Libra Pi (LP), etc. These coins are generated The way is similar to HJL, and they all appear as if out of thin air. Security personnel speculate that the issuers of these tokens may all use the one-key issuance function of Easy Tokens.
On the market, in addition to easy tokens, one-click coin issuing platforms such as Quick Coin and FinChain can also be searched. These platforms are basically the "fool version" of issuing coins using smart contracts. You only need to fill in the basic elements such as the token full name, abbreviation, initial circulation and other basic elements on the coin issuing interface to generate the coin issuing contract and generate customized tokens.
Some third-party publishing platforms also provide one-click exchange opening, one-click crowdfunding, and docking exchange listing services.
The fees charged by third-party coin issuing platforms vary. Taking the issuance of the most basic ERC20 tokens as an example, the fee for easy tokens is $ 39.99, and the quick tokens are charged 1 ETH. In addition, these platforms will also provide users with special needs. The currency distribution interface displays functions such as destruction, merge transfer, lock, and additional issuance. Of course, each additional function will increase the price.
The official website page of a certain coin issuing platform
Beijing Lian'an told Honeycomb Finance that there is currently no other platform that steals "backdoor" issuance and stolen currency, but the threshold for such operations is extremely low, and it does not rule out that there will be new cases in the future.
This phenomenon disclosed by security agencies has also sounded the alarm for blockchain projects that rely on outsourcing services. Beijing Lian'an believes that the project party entrusting the outsourcing technical team is in an extremely insecure "streaking" state. When using the so-called currency issuance platform, the entire process is a black box for them, and it is impossible to know the greasy inside.
It is even more vigilant that many small and medium-sized exchanges do not require code audits of project parties when listing coins, which creates the risk that the “institution” in the problem code cannot be blocked in time through layers of checkpoints.
So, how to remedy the above situation? Beijing Lian'an told Honeycomb Finance that if the currency-issuing contract has been deployed on the chain, it is difficult to technically directly modify it, and the contract can only be redeployed, which is divided into two situations.
The security agency further explained that if the project has not been listed on the exchange and the tokens have not been fully distributed, the impact of the redevelopment contract is relatively small. You only need to inform investors that the previously issued coins are invalid and then reissued.
Another situation is that the project has landed on the exchange and is fully traded in the secondary market. The project party needs to communicate with the exchange and investors and formulate a plan to switch tokens after redeploying the contract. "In this case, not only the process is more cumbersome, but it may also negatively affect the reputation of the project party."
Beijing Lian'an reminds that if the project team is involved in outsourcing development, it is not only necessary to evaluate the capabilities of the outsourcing team, but also to assess the moral hazard of these teams. In addition, the security audit link of the smart contract is also essential.
The additional issuance of currency addresses exposes the "three noes" project
The "one-key coin issuing" platform's evil in the contract code certainly damages the interests of the project party, but at the same time, it also shows the technical "underpants" of some project parties in the blockchain industry.
Searching for "Ethereum Tokens" on the Internet, you can see many ERC20 token issuance tutorials. Some tutorial writers said that using Ethereum's smart contracts "can easily write your own tokens."
There are many tutorials for issuing ERC20 tokens online
Beijing LianAn introduced that since the ERC20 token issuance already has a standard development template, the functional requirements for issuing tokens are not high. As long as you have basic Solidity language development capabilities, and you are familiar with contract deployment and verification on Ethereum, it is true No third party participation is required to complete the issuance of Token.
It stands to reason that for blockchain project parties who frequently call for "transformation" and "subversion" of the Internet, issuing coins is not a problem. However, the emergence of a fool version of the "one-key coin issuing" platform seems to give a contradictory answer.
Searching for the token information in the address at the beginning of "0xfA6D" one by one, it is not difficult to find that these projects are so-called "innovative currencies" and the risk is extremely high.
Take the gold chain (HJL) that has landed on the BJEX exchange as an example. In its listing announcement, it did not publish the official website and white paper, only describing that this is a global ledger-based information interaction and collaboration cloud platform based on blockchain technology. The official website information of the project cannot be found on the Internet. It is not known who operated the project. The BJEX exchange that listed the project is currently ranked 108th on the non-trumpet.
In another Moneyhome (MH) project, only relevant publicity materials can be found. The words "subvert all Internet finance" and "internal disk currency prices only rise and fall" are simple and rude. The fission rebate model described is also very suspicious, some netizens said , Moneyhome crashed on February 29.
The address at the beginning of "0xfA6D" exposes a batch of "three noes" projects in the currency circle. Even the issuance of coins requires outsourcing projects. How can we expect them to develop a blockchain network?
Beijing Lianan told Honeycomb Finance that the current market participants in the currency circle are uneven, and many project parties lack the technical background and ability. For those who only want to make a fortune, "seeking fast" is the purpose. Their resources and business core It also focuses on the market, operations, etc., and there is no long-term development route in technology, so they will not specifically set up an established R & D team. "It is obviously a more economical way to find a third-party platform for rapid development and deployment of contracts."
From the perspective of Beijing Lian'an, behaviors such as opening backdoors to issue additional tokens and issuing counterfeit coins of the same name are actually easy to find, because most of the coin issuance contracts will be open source after deployment, as long as relevant security audits can be detected in time.
For the "three noes" project of nude swimming, technical ability has never been the focus. When they were trying to "find a lump sum" in the secondary market, they did not know that the "one-key coin issuing" platform took the lead in burying mines in the dark. If such a project enters the secondary market, investors will become the ultimate victim of "takeover."
Interaction time
Do you think the one-click coin-issuing platform and the Sanwu project are more terrible?
