Taking The PRL Out Of Oyster Protocol: The Case Of Bruno Block
How an anonymous founder sabotaged a cryptocurrency project.
The horror story you are about to hear is real. It’s the case of an anonymous individual who built a cryptocurrency platform. The project I’m referring to is Oyster, and the anonymous developer is none other than Bruno Block. It was designed from inception to act as a “community driven model without a single point of failure” which is an ironic claim made by marketing materials published in the run up to the project’s ICO, considering the fact that the project’s founding architect, Block, turned out to be the single point of failure who engineered an exploit into the code controlling the company’s PRL tokens.
There Is Something Terribly Wrong
The best explanation I found of exactly what went down was posted by Reddit user imwaihon whose thread gives a descriptive and factual analysis of what took place:
“There is something terribly wrong with the Oyster token contract. People are sending Ether to the contract at a rate of 1 ETH to 5000 PRL tokens (0.0002 Eth per PRL), which means that they can sell it for higher on Kucoin.”
Noting that an issue existed with the PRL contract, imwaihon pointed out that a “transferDirector()” call from another address was sent to the address used to create the PRL ICO contract, allowing whoever had control of that account to mint more PRL and transfer any Ether used to do so right back out of the contract. Further analysis revealed that selfLock() was never called, which essentially means the director contract represented a potential security flaw as a possible attack vector.
In the Reddit post imwaihon speculated that someone may have gone rogue within the Oyster organization, or that the private keys to the hijacked account were leaked. As it came to surface, the worst suspicions of imwaihon were true after Bruno Block, the project’s founder and former CEO took credit for the exploit amid meltdowns on public and private channels.
Block’s Public Rant
In the original Oyster Protocol Telegram channel Block went on the warpath after wrestling control from other admins and locking it to newcomers. In turn, remaining Oyster Protocol team members set up their own new Telegram channel.
Block’s posts remain public but can be seen below for posterity’s sake, should they be deleted from the now locked channel:
/rant
/endrant
The Damage Control And Rebuttal
Not long after the attack from Block, Oyster Protocol published a community update where it explained that around 3 million PRL tokens were re-issued from the newly opened PRL ICO as a result of the transferDirection function being utilized on the company’s smart contral. These coins worth close to $300,000 were then sold on the KuCoin cryptocurrency exchange. This happened days before a November 1, 2018 deadline for KuCoin to introduction KYC measures.
In response to Block’s allegations of insider trading, and cryptocurrency exchange listings, William Cordes, now acting CEO of Oyster Protocol, published a community update in which he condemned Block’s actions as criminal acts. He also published post rant tete a tete between himself and Block where Block writes of a looming economic collapse, claims all the token holders are in a ponzi scheme, and that “none of the money is real.”
How Could This Happen?
One of the big problems with Oyster Protocol is that although it made grand claims, and saw a boom in the value of its token on speculative marketplaces, because it was founded by an anonymous individual who maintained a linchpin on the project’s security, fundamentally there was utterly no accountability. Apparently Block’s status as founder of the project was enough to allow him to gain the trust of those who worked closest to him and who are now left with on damage control with a project with serious issues, as they attempt to fork to another chain.
There is a certain argument that can be made for anonymity, and privacy. However the line needs to be drawn somewhere. Allowing anonymous individuals to rise through the ranks of a corporate organization does not come without significant risks. Anonymous individuals with any level of access have the potential to sabotage the projects they work on without accountability or consequence. The same goes for anonymous developers who might have administrative control; these central anonymous points of failure are antithetical to the ethos of the cryptocurrency ecosystem, and to best security practices in general.
Another issue with the incident involving Oyster Protocol’s exploited code has to do with insufficient auditing. Although Oyster says they had 3 separate audits of their code, it was admitted that upon Block’s orders that they left the contract’s directorship open, which is what Block eventually used to take over the PRL ICO contract. If the exploit in the code existed did it get past three separate audits? Or did the auditors see the issue and report it to Oyster, who chose to ignore the problem, hoping Block wouldn’t defect?
It’s impossible to catch every scam or predict how people will act. Sometimes factors beyond our comprehension cause people to do things we would have never expected. The best thing we can do as individuals is keep an eye open for indicators that something might not be on the up and up. That means if the CEO of a project that wants you to invest it in it doesn’t want to tell you who they are, it might not be a good idea to trust them with your clams.
As for Oyster Protocol, it’s unlikely that anyone on their team will make the same mistake again of trusting anonymous leadership again. For the sake of those who hold value in PRL, let us hope that the forked version is secure, and delivers on the promises the team has made for the future.
This report was brought to you by MetaCert Protocol, the new green shield of trust for internet resources. If you want to get involved, join the conversation on Telegram: https://t.me/metacert, check out our white paper and technical paper, and don’t forget to follow us @MetaCert on Twitter.
MetaCert Protocol is decentralizing cybersecurity for the Internet, by defining ownership and URL classification information about domain names, applications, bots, crypto wallet addresses, social media accounts and APIs. The Protocol’s registry can be used by ISPs, routers, Wi-Fi hotspots, crypto wallets and exchanges, mobile devices, browsers and apps, to help address cyber threats such as phishing, malware, brand protection, child safety and news credibility. Think of MetaCert Protocol as the modern version of the outdated browser padlock and whois database combined.
