Crocoswap.finance and mozartfinance.io were different rugs, but they have something in common, changing contracts at launch. And this is what we are going to talk about in this post.
We will not analyze if they were real rugs or victims or everything related to this, not now. Each case deserves its own article.
So what happened ?
In both cases the rug began with a change of contracts.
Crocoswap
They launched the site but with farming disabled, the native CROCO token was tradeable but the deposits on the pools were not enabled. However, contracts could be approved.
Suddenly, when the farming started (in a certain block), all the contracts of all the pools had to be approved again, and you no longer had your CROCOs, they did not appear to stack, what happened?
For observers, including me, we notice that when trying to purchase the token via PancakeSwap we were redirected to a different contract than the initial one.
They changed the contract of the token and the masterchef and for this reason everything had to be approved again, because you were approving the deposits on the new masterchef.
Of course, if you looked for the previous CROCO contract in your wallet and were going to trade it, it no longer had liquidity, and the price only fell. Those of us who had bought the token before had already lost.
As if this was not enough, many did not realize this, and having to approve the deposit contracts again seemed strange to them, but it did not stop them. Many deposited, and 12 hours later everything was stolen. They were fooled.
Once farming started, nothing could be done as withdrawal was locked for 12 hours, supposedly for the stability of the token. Clearly the only stable thing were the red flags.
Mozart, an audited rug
It is under discussion whether Mozart committed a “rug” or was the victim of the evil intentions of a freelance developer they hired. But let’s put the opinions aside this time and talk about what happened.
Mozart’s PIANO token had been audited by Immune Bytes. After some arrangements, the audit was approved.
The project was announced days in advance, there were “pre-saless” and they had an approved audit. But suddenly 90k PIANOs were minted to a random wallet. These were sold causing the price of the token to fall aggressively. Everything was registered on the blockchain and the FUD began.
What happened? Simple, the PIANO contract that appeared on the page, and that was bought on Mozart’s own exchange, was not the same as the one that was audited.
This is the audited token:
And finally this is the one that was published:
The new contract commented the getOwner() function and added a whole MinterRole contract.
Without going into much detail, he created a list to which addresses could be added that could be mined by PIANO by calling the mint function which would check the modified onlyMinter() instead of the onlyOwner() which would check that the masterchef is calling it.
This way, a very well-armed project, which promised a lot to the point of gathering more than 10M of TVL, ended in a great loss for users.
The funny thing is that both the real and the fake token were deployed by the same wallet and most of the pools were LPs with PIANO. That is to say that even if they could not “take the funds” if the price of PIANO fell a lot, the LPs would have more PIANO than any other token, ending in the same way in a rug.
This means that if they were victims, the attacker was the one who deployed both contracts and also had access to the front-end to set the new contract. And also it seems that nobody of the team verified that the contract placed in the front-end code was the same as the one audited.
Conclusion
Always check that the tokens and contracts you are interacting with are the same as the ones that were audited.
Also check if the audit is real, a short explanation of this in our Gitbook: https://voidfarm.gitbook.io/void-farm/security/how-to-check-an-audit-is-real
Unfortunately these cases were not the only ones in this way and won’t be the last.
Stay safe. Cheers!
Official Links:
Site: https://www.void.farm/
Telegram Announcements: https://t.me/voidfarm_announcements
Telegram English Chat: https://t.me/voidfarm_en
Telegram Spanish Chat: https://t.me/voidfarm_es
Twitter: https://twitter.com/VoidFarm
Medium: https://voidfarm.medium.com/
GitBook: https://voidfarm.gitbook.io/void-farm/
GitHub: https://github.com/voidfarm
