QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$114 000 USD
APRIL 2021
GLOBAL
SEXYAPY
DESCRIPTION OF EVENTS
"After the great previous post where he did a x12, I bring you this other gem with the potential to repeat the feat! I have found it by telegram and it is still very green. I'm in!"
"We are tired of all the scams that happen among tokens. So we decided to take matters into our own hands. What differ those token from SexyAPY is mainly the fee redistributed to holders and a very active dev team behind the project."
"SexyAPY is a profitability optimizer on the Binance Smart Chain."
"SexAPY has been audited by TechRate, the contract is safe." "Techrate performed a complete Smart Contract audit of @sexyapy. The report is issued and now published on our website https://techrate.org. Check the contract in the report and stay safe!"
"Autofarm fork that doesnt autofarrm non natives yet so will be redeploying a new MC in the near future. Large project, large contract that calls two bank contracts and an apy distributor. Tons of internal transfers, mints, withdraws, paybonus function. Variables for deposit and withdraw fees capped at 2%. Currently .5%. Didnt see overtly malicious code but dev does have incasetokensgetstuck function in there which can transfer tokens from masterchef to personal wallet for emergency which is good and bad (more good than bad). owner can change bank contracts so dev could technically change and call a new bank contract and if the bank contract has malicious code in it then the main contract could call malicious code."
"Got Techrate audit. I dont feel this project is malicious as dev threw $100k of his own dollars in and locked liquidity but code could [hurt] you. more likely from a bug than a rug since with this much going on and as far as I can tell no beta/no legit auditor on it math could mess up somewhere and cause problems in payout, compounding, or liquidity. No venus vaults. No Timelock. Autoforks have gone tragically wrong in the past so much like deflate, best recomendation I have is to get a legit audit or a third party dev to go bug hunting. Website isnt updating price. Looks like some UI issues. DYOR."
CertiK "published a confirmed RugPull alert on a project named SexyAPY via https://certik.org."
"The project contains four contracts. All of them are deployed by [the same] address. The rug pull happened on “Apr 16,2021 04:31:07 PM +UTC”." "The deployer of the contract called function inCaseTokensGetStuck() to transfer over 519,881 Pancake LP token from this contract to his own address." "Then the deployer transfers all of the Pancake LP token to [another] address. Then, the owner of this address swapped all of the LP token to BUSD. He got over 113,655 BUSD in the end."
"The scammers exploited a total value of $113,655 in BUSD. The funds were washed across platforms via bridges. The project’s website is down but the Twitter account still exists."
"Lost 30 BNB."
The SexyAPY launched a liquidity protocol, reportedly audited by TechRate (although that post appears to have been deleted) and getting a reasonably positive review from RugDoc. However, neither of these closely inspected the smart contract, and the creators were completely anonymous. All funds in the contract were stolen, totaling just over $113k. No recovery was provided for affected users.
HOW COULD THIS HAVE BEEN PREVENTED?
Our framework recommends that all uninsured customer funds be held in a multi-sig wallet by multiple known, trained, background-checked operators. Cases where funds are stolen are typically performed by a single individual, or an anonymous entity.
https://mobile.twitter.com/certikorg/status/1383173629471551495 (Jan 10)
SexyAPY less than 1 hour, 100x potential LIQ LOCKED, code audit : CryptoMoonShots (Jan 11)
@Mobile_Millions Twitter (Jan 11)
SEXYAPY (Jan 11)
How to avoid rug pulls and what they mean (Jan 11)
BUSD/SEXYAPY liquidity pool on Pancake contract address is 0x741ebbf6800e5044d5ac0a7f1921894abae54c54 (Jan 11)
Sexy APY – RugDoc (Jan 11)
https://bscscan.com/token/0xda2ace303531079568e471bb5962d9c7892e2619?a=0x0fda4ac09a12c10fae30e429f4d6b47c9a83c87e (Jan 11)
@TechRate1 Twitter (Jan 11)
