Analysis of the SQUID Game Contract Vulnerability - Risk Remains High

2021-11-09, 10:08
By GateChain - Vincent




【TL; DR】
  1. Following the crash, the SQUID project claimed to have removed the restrictions on large SQUID transactions from the contract. It transferred owner access to the black hole address, and shut down all social media accounts.
  2. Recently, the SQUID price has rebounded sharply, reaching near $0.40 at the time of writing. This is up hundreds of X’s from its lowest point a few days ago.
  3. SQUID holders are currently engaged in a "community self-help" campaign, hoping to take advantage of the project's runaway team to achieve more decentralisation and community autonomy for the project.
  4. An analysis of the contract code shows that there are still risks in the SQUID project..
  5. Risk 1: The tokens are still concentrated in several addresses and there is a possibility of a second rug pull.
  6. Risk 2: The contract code may be upgraded at any time. This could involve operations such as issuing a large number of additional tokens which would be extremely negative for token holders.


When the crash occurred, the price of SQUID went as low as $0.0007, but the story around the SQUID token didn't end when its price went close to zero. Recently, its price has rebounded sharply, reaching near $0.40 at the time of writing, up hundreds of times from its lowest point a few days ago.

Last week developers of the Squid Game crypto project (SQUID) pocketed investors’ funds and were nowhere to be seen. They sold off a large portion of tokens, extracting liquidity from the trading pool(SQUID/BNB) on PancakeSwap. This led to a massive plummet in the price of SQUID. Following the incident, the project claimed to have removed the restrictions on large SQUID transactions from the contract. It transferred owner access to the black hole address (note: in this address, the private key cannot be found), and shut down all social media accounts.

For more information on the SQUID flash crash on November 1st, please read here: Squid Game Rug Pull Scam: How Do We Choose A Reliable Project?



After the plunge was reported in mainstream financial media outlets, SQUID was thrown into the limelight and became a popular coin that was being widely discussed. The holders are currently engaged in a "community self-help" campaign, hoping to take advantage of the project's runaway team to achieve more decentralisation and community autonomy for the project.

There is no way to know what the final results of the "self-help" campaign will be. However, after an in-depth analysis of the SQUID contract code, we found that the SQUID project is still quite risky.

Risks Remaining In The SQUID Contract

An analysis of the contract code shows that SQUID is not as decentralised as some reports claim and that there are still two risky points.

1: There are multiple addresses holding large amounts of tokens and there is still risk of a massive dump.




Looking at the statistics in the “Holder” section (https://bscscan.com/token/0x87230146E138d3F296a9a77e497A2A83012e9Bc5#balances) on bscscan.com, you will find the top three addresses still hold almost 30% of the tokens and are free of any freezes or restrictions when it comes to selling their tokens. The second rug pull can occur at any time.


2: Hidden risks in the contract code.

By querying the readable variables within the contract, you can see that the owner of the SQUID Token contract (0x87230146E138d3F296a9a77e497A2A83012e9Bc5) has been changed to a black hole address (0x000000000000000000000000000000000000000000000000), which means that no one can be granted the authority to issue additional tokens.


The project owner may have transferred the ownership rights through the renounceOwnership (as shown below) to make the token more "decentralised".


But where was the logic code that could have prevented large transfers from being made at the beginning of the project's release? After analysing the code, we found that this logic code no longer exists. If it did, it should be written into the code as “_beforeTokenTransfer”.


But this is not the case, “_beforeTokenTransfer” is now an empty function:



This means that someone has made changes to the contract code.


Based on the code, we found that the SQUID contract applies the “EIP-1967: Standard Proxy Storage Slots” protocol (https://eips.ethereum.org/EIPS/eip-1967). This means the contract code can be upgraded at any time. The core upgrade logic is shown below:



When the contract was initialised, the project specified a role named “_sir”. This role allows the contract code to be upgraded at any time, replacing the processing logic of the contract while retaining the contract data. For example: Unfreezing frozen tokens, reassigning an owner, issuing tens of billions of additional tokens, etc. is still very possible.


So what is the corresponding address of the “ _sir” and is it replaceable?

In the contract code, there is no read method provided for this address, nor is there a possibility for modifying it. Instead, it is silently stored in the following “slot” (as shown below):


Thanks to the open-source nature of the blockchain, we can write code to read all the on-chain data, including the real address of “_sir”: 0x6BdB3b0fd9F39427a07b8ab33Bac32Db67EB4E38.


If it was a black hole address or a timelock, the contract would be much safer. But unfortunately, “_sir” can initiate a transaction at any time and upgrade the contract's code at any time. So, the fact that the owner is specified as a black hole address means the risks involved with the contract can not be solved.

Conclusion

SQUID Game contract risks can be summarised as follows.

1: The tokens are still concentrated in several addresses and there is a possibility of a second rug pull.

2: The contract code may be upgraded at any time. This could involve operations such as issuing a large number of additional tokens.

There are many unscrupulous projects that are making their way onto the scene by taking advantage of social spotlights. Many of them tend to rip off investors by means of the untraceable nature of cryptocurrencies. Those who do not have a good understanding of cryptocurrencies, and lack knowledge in terms of scams, could easily fall into a rug pull. You are advised to be more discerning and try to trade on large and reliable platforms to prevent fraud.

SQUID has exploded due to media coverage it received after crashing, with the owner nowhere to be seen. It could be turned around, but the risks also remain high. Will SQUID collapse again or be reborn under the actions of the community’s “self-help” campaign? Let's wait and see.

Author: GateChain - Vincent
*This article represents only the views of the researcher and does not constitute any investment advice.
*Gate.io reserves all rights to this article. Reposting of the article will be permitted provided Gate.io is referenced. In all other cases, legal action will be taken due to copyright infringement.


Bagikan
gate logo
Credit Ranking
Complete Gate Post tasks to upgrade your rank