Gemholic Ecosystem Rug Pull
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Gemholic raised 921 ETH worth of funds to create a new blockchain ecosystem. Those funds were then locked due to an issue with their smart contract deployed on zkSync. This took over a year to resolve via an update to the zkSync algorithm. Once it was complete, the Gemholic team nearly immediately withdrew the funds, and started transferring them through TornadoCash. It seems very certain that both founders will be brought to justice given the low anonymity set of TornadoCash, and that they subsequently used centralized exchanges following that point.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]
About zkSync
"zkSync is a Layer-2 scaling solution developed by Matter Labs, aimed at reducing costs, speeding up transactions, and providing security on Ethereum using ZK Rollups technology."
About Gemholic
"Gemholic Ecosystem consists of product features and mechanisms that support each other while creating new benefits for all parties involved in the ecosystem. Gemholic Ecosystem provides GemLaunchpad, GemStaking, Gem Yield Farming, Gem Mining (Play-to-Earn feature), and Gem Cash (Tonardo Cash) for the entire CoreDAO Chain."
"The Gemholic Ecosystem uses 8-bit images as its main visual theme. With such a theme and visuals, we will attract many users as well as investors, as it is quite similar to old-school games with 8-bit graphics that make us feel like we're going back to our youth. It will feel like embarking on an adventure to search for treasure and mine resources."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"Users who participated in Gemholics fundraising thought they had waited for the day of repayment, but unexpectedly witnessed another runaway project on ZKsync." "On June 7, zkSync(@zksync) completed its v24 upgrade, which fixed the issue and allowed the locked funds to be accessed. Following the upgrade, the Gemholic project withdrew 921 Ether from the contract and transferred it to the Ethereum blockchain. Gemholic’s X account and all Telegram messages had also been deleted at the time of publication."
| Date | Event | Description |
|---|---|---|
| March 8th, 2023 | KYC Verification Complete | The Gemholic project passes the KYC verification process with SolidProof. |
| March 13th, 2023 | Smart Contract Audit Complete | The Gemholic project completes a smart contract audit via SolidProof. This identifies only minor issues and no critical vulnerabilities. |
| March 29th, 2023 11:54:11 PM MDT | Binance Funding Transaction | A transaction funds 0.0988 ETH from Binance, which is ultimately used to fund the layer 2 zkSync protocol used to launch Gemholic. |
| December 5th, 2023 2:48:50 PM MST | Last Online Capture | The last capture of the gemholic website via the internet archive. |
| June 7th, 2024 4:30:00 AM MDT | Rug Pull Transaction | The time of the specific transaction which is moving invested funds on the ZKSync layer 2 protocol. |
| June 7th, 2024 7:55:00 AM MDT | Funded From Binance | Twitter user anderbnb reveals that the Gemholic address was originally funded by Binance and asks various community users for help. |
| June 8th, 2024 12:52:00 AM MDT | Tweet Reporting Situation | A Tweet is made which reports on the rug pull (in Chinese). |
| June 8th, 2024 1:14:00 PM MDT | Summary Tweet Posted | A summary tweet is posted by Twitter user Echoeweb. |
| June 8th, 2024 3:31:00 PM MDT | Inclusion In List | The incident is included in a summary of crypto events happening today by @Cprinze_. |
| June 10th, 2024 4:54:00 AM MDT | SolidProof Official Report | SolidProof posts an official incident report about the Gemholic situation. |
| June 13th, 2024 10:49:00 PM MDT | Supposed Personal Information | The supposed personal information of the CEO of the Gemholic project is posted, including an address in Vietnam. |
Technical Details
"The zkSync project Gemholic had its funds locked for over a year because of a mistake in the sales contract. Matter Labs, the team behind Ethereum layer-2 scaling solution #zkSync, identified the issue as stemming from the .transfer() function in the GemstoneIDO smart contract, which is part of a project run by the GemholicECO ecosystem."
"Gemholic was also quick to make a commitment, writing on its official Twitter account, “We understand that many people have lost confidence, but we still believe that the ZKsync team can get things done. We need everyone to trust us. Once the agreement is finalized, we will launch marketing activities and project pre-release. We will also refund excess payments.”"
"The team behind ZkSync, @the_matter_labs rescue[d] the @GemholicECO after a botched token sale, allowing them to retrieve 921 $ETH ($1.7M) raised."
""Last year, Gemholic raised 921 ETH on ZKsync. However, due to the technical differences between ZKsyncs Era network and the Ethereum mainnet at the time, Gemholics fundraising method when it was launched on ZKsync was to directly copy the Ethereum contract code. Due to the lack of sufficient testing of the ZKsync architecture differences, the transfer() function in the Gemholic contract generated fees exceeding the gas limit on ZKsync, resulting in passive lock-up of the raised funds.
Eden Au, director of research at The Block, noticed the issue and tweeted, “A project on ZKsync raised 921 ETH ($1.7 million) in a token sale, but the funds are forever trapped in a smart contract. The Transfer() function works on Ethereum and other EVM chains, but not on ZKsync.”"
"The smart contracts were deployed on zkSync without any prior checks. However, the developers from ConsenSys warned about using the Solidity transfer function in 2019. This function uses a fixed amount of hard-coded gas, which makes them fail because the transfers currently use more.
zkSync also warns about this limitation and its impact on smart contracts. Furthermore, the team examined the source code of “dozens of popular crypto projects”, finding all of them compliant with the new dynamic system."
"More than a year later, the value of the 921 ETH raised by Gemholic has tripled to more than three million US dollars. On June 7, ZKsync started the mainnet upgrade. In the v24 version, ZKsync added a function that allows the transfer() function to be called normally when gas is not specified to improve compatibility with Ethereum."
Total Amount Lost
The total amount lost has been estimated at $3,400,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"The project gemholic on zkSync has run away, and its Twitter and Telegram accounts have been deleted. A total of 921 ETH of user assets, about 350w u, were stolen."
"Gemholic, a crypto project, is accused of a rug pull after moving $3.5M in recently recovered funds and vanishing from social media."
"The community discovered that Gemholic withdrew 921 ETH from the project contract the day after the V2 upgrade and bridged to the Ethereum mainnet. Subsequently, screenshots circulated in the community showed that Solomon, the founder of Gemholic, deleted all TG group messages, and the Gemholic official Twitter account was also deleted. It is obvious that the project party ran away with the money after unwinding."
"Community members are currently trying to trace the Gemholic contract creator’s address, which is supposedly funded by Binance.
The cryptocurrency community is concerned following a suspected rug-pull incident involving the Gemholic project and the zkSync network.
Several users affected by the alleged Gemholic scam have taken to X to raise awareness. NSerec, the founder of Zkmarkets, confirmed that Gemholic stole $3.5 million.
In the X post, NSerec(@NSerec) claimed that Gemholic had deceived its investors for a year by falsely promising refunds. Once the funds were finally unlocked, the team executed what appeared to be a rug pull. NSerec revealed that the address of the contract creator was supposedly funded by Binance and asked community members who have insights on how Binance might assist in reaching out to them.
KYC provider silence Despite completing Know Your Customer (KYC) verification with SolidProof, the verification service has not publicly addressed the situation. NSerec believes that the silence is possibly an effort to prevent fear, uncertainty and doubt (FUD) from spreading among the investors."
"According to NSerec, a #KYC provider must either admit that they didn’t do a good job checking the people involved, or they should report the fraudsters to the authorities and tell the public what happened. If SolidProof keeps ignoring this problem, their service shouldn’t be trusted.
The Zkmarkets(@zkmarkets) founder said that if SolidProof doesn’t deal with the Gemholic scam, the people affected should hold SolidProof responsible. He even suggested that if they don’t take action, people should start calling them “UselessProof” instead of “SolidProof.”"
Ultimate Outcome
SolidProof has "provided all necessary information to the official cybersecurity authorities in Vietnam and have requested direct contact with the Vietnam Blockchain Association. Additionally, [they] are open to collaborating with Binance and other relevant entities to trace the withdrawn funds and hold the responsible parties accountable."
"The Gemholic team employs various mixing techniques that make a portion of the funds difficult to trace, except through extensive forensic investigations. However, our analysis has traced nearly $800,000 ending up in a centralized exchange and demonstrated the dwindling effectiveness of Tornado Cash as a mixer. In fact, we observe that a significant portion of the funds was initially laundered through the protocol sanctioned by OFAC, but the money flow then led us to cross-chain bridges and to the newcomer in the galaxy of privacy protocols: RailGun, now widely used by scammers worldwide."
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
Funds are likely to be traced and recovered.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jun 18, 2024)
- ↑ @0xAA_Science Twitter (Accessed Jun 19, 2024)
- ↑ @Cprinze_ Twitter (Accessed Jun 19, 2024)
- ↑ @Echoeweb Twitter (Accessed Jun 19, 2024)
- ↑ @anderbnb Twitter (Accessed Jun 19, 2024)
- ↑ Address 0x3c67ae2a58c43e220c15159733022225b773eedc | Etherscan (Accessed Jun 19, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Jun 19, 2024)
- ↑ @0xZodiacCaller Twitter (Accessed Jun 19, 2024)
- ↑ GemHolic Ecosystem (Accessed Jun 19, 2024)
- ↑ Smallpdf.com (Accessed Jun 19, 2024)
- ↑ @GemholicECO Twitter (Accessed Jun 19, 2024)
- ↑ zkSync Era: The Landing Of Massive Scam Projects (Accessed Jun 19, 2024)
- ↑ https://www.coingecko.com/en/coins/gemholic (Accessed Jun 19, 2024)
- ↑ https://www.bee.com/es/12393.html (Accessed Jun 19, 2024)
- ↑ zkSync and its Efforts to Recover 921 ETH: The How and Why of it All: Guest Post by ItsBitcoinWorld | CoinMarketCap (Accessed Jun 19, 2024)
- ↑ @SolidProof_io Twitter (Accessed Jun 19, 2024)
- ↑ Incident: Report on Gemholic Ecosystem | by Solidproof.io | Jun, 2024 | Medium (Accessed Jun 19, 2024)
- ↑ zkSync Era Block Explorer (Accessed Jun 19, 2024)
- ↑ projects/GemHolic/SmartContract_Audit_Solidproof_Gemholic.pdf at main · solidproof/projects · GitHub (Accessed Jun 19, 2024)
- ↑ Gemholic (GEMS) Staking Rewards Calculator (Accessed Jun 19, 2024)
- ↑ https://decripto.org/en/gemholic-rug-pull-on-chain-analysis-reveals-where-the-funds-went-exclusive/ (Accessed Jun 19, 2024)
- ↑ https://www.binance.com/en-NZ/square/post/2024-06-07-suspicions-arise-over-gemholic-s-financial-activities-within-zksync-ecosystem-9157750152434 (Accessed Jun 19, 2024)