The astrology-themed NFT project Lucky Star Currency (LSC) has performed an exit scam for over $1 million, according to an October 9 report from blockchain security firm Certik.
The project’s deployer account called the ‘withdrawToken’ function on both the NFTMerge and AdwardCenter contracts, removing over $1 million in LSC from them. These tokens were then swapped for Binance USD (BUSD) stablecoin and sent to another account.
#CertiKSkynetAlert
— CertiK Alert (@CertiKAlert) October 9, 2023
We can confirm an exit scam on @AstrAstrol75591 LSC token
Bsc: 0x2b3559c3DBdB294cbb71f2B30a693F4C6be6132d
EOA 0x9Ef withdrew LSC tokens from the AwardCenter contract. Tokens were then sold for $1.1mhttps://t.co/sy7vFfqhf5
Lucky Star Currency is a project that focuses on NFTs and claims to be founded by astrologists. Its contracts include an Award Center and NFT Marketplace. It is marketed towards the Chinese crypto investment market. The team promotes the project on X (formerly Twitter) under the username @AstrAstrol75591. It also has a Telegram channel. As of October 9, the project’s website and user interface are offline.
Before the alleged rug, Lucky Star Currency was heavily promoted on the Chinese news app Toutiao and Q&A platform Zhihu.
At approximately 02:52 a.m. UTC, BNB Smart Chain address 0x9Ef72Ee68a7c841986A0C60e0FDbAE4e27446Deb removed over 1.6 million LSC from the AwardCenter contract for Lucky Star Currency. In a second transaction, an additional 1.4 million LSC was drained from the project’s NFTMerge contract. After draining funds, the attacker swapped them for over $1 million in BUSD via Pancake swap and then sent them to account 0x23f8c805306Bf27AB8bf3cEbEce4B778acfFd896. This account has been receiving BUSD from various sources for the past 82 days, implying that there may be more than one scam depositing funds to it.
According to Certik, the contracts that were drained have been listed on Telegram as the project’s official contracts.
In addition, blockchain data shows that the attacking account is the deployer for the AwardCenter contract.
Related: Chinese DeFi protocol WDZD Swap exploited for $1.1M: CertiK
The company that promoted the project claimed to have an office in Shenzen City, China.
Rug-pulls from Chinese projects have become a recurring problem in the Web3 space. Running a centralized cryptocurrency exchange is illegal in the country. Because of this, users who deposit to a Chinese protocol that has centralized elements may risk having their funds confiscated by police.
Over $100 million were lost in July when the China-based Multichain protocol drained all of its users' funds into an attacker’s account. The team alleges that police have arrested their CEO, but victims still search for answers as to what happened to their funds and how they can be reimbursed.