PolkaMetaverse Fake Audit
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
PolkaMetaverse claimed to be offering a "next-generation" NFT platform, and that their "Layer 2 scalability engine" would offer a decentralized exchange for "leveraged" transactions. In addition to reporting that the POKA governance token would be listed on Hotbit, Binance, Bybit, and CoinBase, they also claimed to be audited by Peckshield. Peckshield reported that no such audit had been performed. It remains to be seen what will come of this project and any investments. The whitepaper claims funds are stored within a multi-sig wallet, but no one has looked into the code.
About PolkaMetaverse
"Polkametaverse is a Next-generation NFT platform." "Polkametaverse is a new generation of decentralized exchange, using a Layer 2 scalability engine, supporting leveraged transactions, and providing lower transaction rates. POKA is the governance token of Polkametaverse, with a total supply of only 100,000,000. POKA will be listed on Hotbit, Binance Trust Wallet, Bybit and Coinbase exchanges. The estimated listing price of POKA is $30." "A new generation of decentralized exchange using a Layer 2 scalability engine. Trade Perpetual Contracts with low fees, deep liquidity, and up to 100× more Buying Power."
"Polkametaverse joined hands with Kusama and StarkWare which employed StarkEx, a Layer 2 scalability engine that aims to improve the trading on platform. In simple words, the impact will be similar to the upcoming Eth 2.0 upgrade, as the gas costs will become zero, minimum trade sizes will be reduced, and trading fees will be lower."
"The purpose of Polkametaverse is to provide secure trading services with low gas costs and fees. To achieve this, the platform is now moving towards Layer 2 with the help of StarkWare to increase its trade settlement capacity."
"We present a set of protocols that allow several types of financial products to be created, issued, and traded for any pair of underlying ERC20 tokens. Our approach uses off-chain order books with on-chain settlement to allow creation of efficient markets. All described protocols are fair and trustless, creating truly open markets that are not governed by a central authority. The protocols are extensible by anyone, requiring no special permissions to be used with other smart contracts."
"Please share your BNB address here and we will send 500 POKA tokens to first 100 People." "Every participant can get 10 POKA tokens by participating in airdrop. Copy and share your referral link to your friends .After the airdrop ends, POKA tokens will be automatically distributed to your submitted BNB wallet address."
"Use your wallet send BNB to the Pre-sale address. Our system will send tokens to your wallet."
Polkametaverse claimed to be audited by Peckshield[7].
Early Promotions on Twitter
Airdrop from our side for the community Please share your BNB address here and we will send 500 POKA tokens to first 100 People
Airdrop is Live https://polkametaverse.io/#airdrop Every participant can get 10 POKA tokens by participating in airdrop. Copy and share your referral link to your friends .After the airdrop ends, POKA tokens will be automatically distributed to your submitted BNB wallet address.
The Reality
Polkametaverse was created by the same individuals who created other fraudulent projects like DYDX[10].
"@polkametaverse claims audited by PeckShield, which is not true. The audit report posted on their website is forged."[7]
CryptoLeda Warning Report
CryptoLeda posted a warning that the audit report, whitepaper, and exchange listings for the token were fake[10].
The Audit Report published on the Polkametaverse site is the same version published on the DXDY site that was allegedly prepared by the PeckShield security team.
The PeckShield team has previously announced that this is a fake version and posted it on Twitter.
When you come across such reports, be sure to investigate their accuracy.
We will discuss this with the PeckShield team.
The Polkametaverse white paper is also a counterfeit and a copy of the DXDX white paper.
This white paper has been used in other scam projects before, and if you look closely at other projects launched by this team, you will notice this.
As a user, when you come across a project, you should first check the white paper. By doing this, you can find out whether it is counterfeit or not.
They claim that POKA is listed in major exchanges such as Binance, CoinBase and HotBit.
If you go to the main exchange offices site, there is no announcement about POKA listing on them.
They have no plans to list POKA and that is a big lie.
They are trying to deceive users with this lie. So watch out for them.
What Happened
The Polkametaverse project was created by a fraudulent team with a number of false claims including listing on Binance. The website included a fake smart contract audit by Peckshield. Peckshield has denied auditing the project.
| Date | Event | Description |
|---|---|---|
| January 11th, 2022 2:49:59 PM MST | Promotional Tweet | Polkametaverse tweets to promote their airdrop[8]. |
| January 12th, 2022 10:56:29 AM MST | Promotional Tweet | Polkametaverse tweets to promote their airdrop[9]. |
| January 15th, 2022 11:21:04 AM MST | CryptoLeda Warning Article | CryptoLeda shares a warning article about the project, reporting a fake audit, fake whitepaper, and fake exchange listings. In this report, they mention that they will be contacting Peckshield about the fake audit report[10]. |
| January 15th, 2022 3:34:00 PM MST | PeckShield Reports Fraudulent Audit | Peckshield posts a tweet reporting that the smart contract audit claim is fake[11]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Fake Audit Report
Total Amount Lost
The total amount lost is unknown.
Immediate Reactions
TBD
#ScamAlert We notice that a project named so-called @polkametaverse claims audited by PeckShield, which is not true. The audit report posted on their website is forged. Thanks!
Ultimate Outcome
TBD
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
There were a number of warning signs with this smart contract from their claims of an audit by Peckshield, when Peckshield claimed no such audit had been performed, their whitepaper being a copy of an earlier whitepaper for a fraudulent project, and their claims that the token was going to be listed on Coinbase and Binance when those platforms had made no such announcement. Almost all smart contract auditing services publish their audits online.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Risks can be reduced by storing most funds offline, and only bringing those assets needed for the specific transaction. Any funds sent to, or left within, a smart contract, are at increased risk of loss.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Platforms can reduce the risks of fraud such as this by providing more education to their users. They can also work together to create an industry insurance fund to assist affected users.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
Regulators can reduce the risks by standardizing the third party validation process and ensuring that all blockchain-based projects have been reviewed by at least 2 separate entities. Regulators can run educational programs to ensure citizens are well educated to know how to look up the status of a project. Finally, an industry insurance fund can be established to assist in the event that validation fails to catch a problem or the educational outreach fails to prevent a major loss.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Polkametaverse Homepage (Jan 15, 2022)
- ↑ Polkametaverse Whitepage (Jan 15, 2022)
- ↑ Polkametaverse - ICOHolder (Jul 18, 2023)
- ↑ Polkametaverse Airdrop - Airdrop Alert (Jul 18, 2023)
- ↑ https://www.95pm.com/index.php/category-23.html (Jul 18, 2023)
- ↑ Polkametaverse (POKA) - The Bit Times (Jul 18, 2023)
- ↑ 7.0 7.1 7.2 [Fake] SMART CONTRACT AUDIT REPORT for Polkametaverse Safety Module - PolkaMetaverse Website (Jan 15, 2022)
- ↑ 8.0 8.1 polkametaverse - "Airdrop from our side for the community Please share your BNB address here and we will send 500 POKA tokens to first 100 People" - Twitter Archive January 11th, 2022 2:49:59 PM MST (Jan 15, 2022)
- ↑ 9.0 9.1 polkametaverse - "Airdrop is Live https://polkametaverse.io/#airdrop Every participant can get 10 POKA tokens by participating in airdrop. Copy and share your referral link to your friends .After the airdrop ends, POKA tokens will be automatically distributed to your submitted BNB wallet address." - Twitter Archive January 12th, 2022 10:56:29 AM MST (Jan 15, 2022)
- ↑ 10.0 10.1 10.2 Is Polkametaverse (POKA) a Scam Project? - CryptoLeda (Jul 18, 2023)
- ↑ 11.0 11.1 Peckshield - "#ScamAlert We notice that a project named so-called @polkametaverse claims audited by PeckShield, which is not true. The audit report posted on their website is forged. Thanks!" - Twitter (Jan 15, 2022)
- ↑ Polkametaverse Deployer Address - BSCScan (Jan 15, 2022)
- ↑ https://bscscan.com/address/0x669be6bdb16c26ad99fca4c1ee6b814ede5676c9 (Jul 18, 2023)