Due to the recent gaining in popularity of EOS DeFi, many projects had started collecting a huge amount of locked value in their smart contracts. Unfortunately a few days ago a $2.5M scam was made by the DeFi project Emerald EMD.
Emerald EMD was a liquid mining project on EOS launched on 9th September. Due to the huge Hype on the new DeFi projects on EOS, many users jumped on the new opportunity and in a few hours they had already collected a lot of money.
After only 13 hours after the launch, large amounts of EMD funds were transferred one after the other. At that point the team of the Blockchain Security firm SlowMist issued a security reminder that probably EMD could have escaped with the funds. At that point, EMD's EOS account, emeraldmine1, had already transferred 787,000 USDT, 490,0000 EOS and 56,000 DFS to the sji1111111 account.
Afterwards the funds were transferred to the exchange service NowChange.io and withdrawn through other channels such as the other Defi project, DeFiBox. The PeckShield Security team pointed out that there were several problems in the EMD contract, among them the fact that the active permission of the contract was controlled by a single entity, and there was no multi-signature system implemented. For this reason both SlowMist and PeckShield were already sure of the scam that is happening.
A little later EMD's website was no longer accessible, and users who by then realized they had been scammed started sending hundreds of messages to the sji1111111 account, asking them very fiercely to return the money.
According to some users, the creator of the EMD contract, had managed to attract a considerable amount of funds, through a kind of Pump and Dump of the Emerald coins. Indeed, in order to boost the price of EMD, he had himself deposited about 40,000 EOS to make the emerald coin shoot to the high price of 500EOS-1000EOS. Seeing this opportunity, many users thought to lock their funds and earn 10x as much as their deposits.
Unfortunately, the creator of EMD ultimately upgraded the contract after its release. Indeed, smart contracts on EOS can be modified after they have already been deployed. For this reason, there is a greater risk than other public blockchain of scams carried out through contract changes. This risk is countered by the possibility to implement multi signatures, so that any change will require the approval of multiple entities. In the case of EMD, there was no integrated multi-signature system, and the creator could act undisturbed.
The scammed users immediately took action and reached the police to block the owner's exchanges accounts. Token Pocket's team in particular conducted an in-depth analysis to find the fraudster, managing to find his IP address and mobile device through technical tracking, while collaborating with a security company. With this key information and transfer request memo, TP Wallet quickly reached out to the EMD project team and negotiated.
According to the Chinese Criminal Code, the $2.5M stolen from EMD is enough to sentence him to 10 years or more in prison. Thus, the creator of EMD could not overcome the pressure and agreed to return the asset, by recovering 120,000 EOS from Coinswitch. However, he threatened to stop all investigations as a prerequisite, otherwise destroy the private key and send 120,000 EOS to an black-hole address.
Already on September 10, 56,000 DFS and over 260,000 EOS were returned, and the next day another 28,000 EOS.
This event is a good opportunity to remind you to be careful where you use your funds, especially in the case of DeFi projects. If you have to use any DeFi project verify that it has been audited by some blockchain security firm and has a multi-sig system implemented. Don't Trust but Verify.