YBY-ETORO Phishing and Scamming
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
YBY ETORO claims to be a popular and widely used decentralized application. However, once authorized, the service can take funds. The service claims to have been audited by CertiK, however this is not the case. Their website has been updated to claim an audit from SlowMist, including a downloadable document. So far, at least $124k has been sent to the smart contract.
About YBY-ETORO
"A better, smarter contract.Explore the ultimate user experience and best engineering practices." "YBY-ETORO is one of the most popular decentralized platforms, ever. And those users are now entrusting the platform with over $5 billion in funds."
"YBY-ETORO is a blockchain agreement. It is like a decentralized central bank that establishes a currency market through smart contracts. The money market is based on the supply and demand of assets, and the interest rate of the asset pool is derived through algorithms. Providers of USDT assets (participants, we call them "miners") , directly interact with smart contract agreements without any actual mortgage, and automatically earn floating interest rates, without negotiating maturity and interest rates or collateral,and other with peers or counterparties Terms."
"It allows USDT holders to automatically explore the borrowing needs of the currency market, and automatically match higher interest orders, after agreeing to authorize the execution of this contract (becoming a "miner"). It is an AMM mechanism and an automatic quantification procedure. Your deposit is always in your own wallet without withdrawal, and you can withdraw the interest earned to your wallet at any time. Become a "miner", hand over to the smart contract agreement, and automatically earn income!"
"The crypto economy is a radical new imagining of the future of work. Open protocols will create transparency and opportunity, enabling anyone in the world to contribute their talents to a global economy. We want to support this vision and build the new coordination mechanisms of the internet age."
The Reality
"YBY-ETORO is identified as a scammer project. CertiK never performs any audits and interact with this project. Please do not connect your wallet and with the scammer address."
YBY-ETORO released a smart contract audit report which they claimed was from SlowMist[3]. This document was contained a standard SlowMist header, however only mentioned one reviewed function[3].
What Happened
Scammers deployed a YBY-ETORO project and successfully tricked users into depositing at least $124k into the smart contract.
| Date | Event | Description |
|---|---|---|
| October 23rd, 2021 | Domain Set Up | The YBY-Etoro domain name is set up[4]. |
| December 7th, 2021 8:18:31 AM MST | Report On Reddit | Reddit user SnooMarzipans3826 reports that their friend was introduced to the YBY-Etoro service a few days ago. He describes the scheme as "pretty sophisticated and looks very legit as your funds stay on your wallet at all times, and you receive real rewards in ETH that you can convert to USDT in the app, then withdraw to your coinbase wallet"[4]. |
| December 11th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| December 13th, 2021 10:55:00 AM MST | CertiK Warning Tweet | CertiK posted a tweet to notify the community that they did not perform any audit or other services for the YBY-ETORO smart contract[7]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
So far, at least $124k has been sent to the smart contract.
The total amount lost has been estimated at $124,000 USD.
Immediate Reactions
CertiK shared a warning on Twitter.
CertiK Warning Tweet
CertiK posted a tweet to notify the community that they did not perform any audit or other services for the YBY-ETORO smart contract[7].
YBY-ETORO has been identified as a scam project.
CertiK has never performed any audit or service despite the claims on their website.
Please do not connect your wallet with the address shown in SkyTrace.
Amount scammed: ~30K (8 ETH)
Ultimate Outcome
TBD
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
Ongoing Developments
TBD
Individual Prevention Policies
Individuals need to be cautious for all new platforms and always verify any security audits which a platform claims to have been performed. Most of the smart contract auditing companies will provide the information about all platforms they've reviewed publicly on their website.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
In this case, the platform had no actual validation performed. Users need to be educated to know where and how to check for which platforms have been reviewed. An industry insurance fund can help standardize the information and ensure the quality of validation, and assist in the event of lost funds.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
In this case, the platform had no actual validation performed. Users need to be educated to know where and how to check for which platforms have been reviewed. An industry insurance fund can help standardize the information and ensure the quality of validation, and assist in the event of lost funds.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ CertiK Blockchain Security Leaderboard (Jan 4, 2022)
- ↑ No Title (Jan 5, 2022)
- ↑ 3.0 3.1 3.2 3.3 "Smart Contract Security Audit Report" from "SlowMist" - YBY-Etoro (Jan 5, 2022)
- ↑ 4.0 4.1 SnooMarzipans3826 - YBY-ETORO Cloud farming SCAM - Reddit (Jan 5, 2022)
- ↑ https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2Fo6bjgurd05481.png%3Fwidth%3D1173%26format%3Dpng%26auto%3Dwebp%26s%3Dc279c1eeeb999aa7ba1d7272465034b2d664ea53 (Sep 7, 2023)
- ↑ https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2Fzz4mxm85y4481.jpg%3Fwidth%3D828%26format%3Dpjpg%26auto%3Dwebp%26s%3D5d3dd0b73f2bf22bdd85ef3e771bb78ce3fddbe0 (Sep 7, 2023)
- ↑ 7.0 7.1 CertiK.org - "YBY-ETORO has been identified as a scam project. CertiK has never performed any audit or service despite the claims on their website. Please do not connect your wallet with the address shown in SkyTrace. Amount scammed: ~30K (8 ETH)" - Twitter (Jan 5, 2022)
- ↑ Address 0x048541809c8e9c75538d7416f40b9f83fa70069b | Etherscan (Jan 5, 2022)
- ↑ https://certik.com/skytrace/eth:0x048541809c8e9c75538d7416f40b9f83fa70069b (Sep 7, 2023)
