Ordinals Finance, an Ethereum-based decentralized finance (DeFi) protocol that allows users to lend and borrow inscriptions, has been accused of performing an exit scam, also known as a “rug pull.”
In an April 24 press release seen by Cointelegraph, blockchain security firm CertiK reported that the protocol’s developer pulled 256 million OFI tokens out of its smart contracts using a “safuToken” function. Another 13 million OFI was removed through an “ownerRewithdraw” function, bringing the total number of tokens withdrawn to 269 million, CertiK stated.
#CertiKSkynetAlert— CertiK Alert (@CertiKAlert) April 24, 2023
We can confirm that the @ordinalsfinance exit scam has resulted in a loss of $1 million.
All social media accounts have been deleted as well as the project's website.
Funds have been consolidated into EOA 0x34e…25cCFhttps://t.co/0Pwlt3yibm https://t.co/RA7vSjNajI
According to the blockchain security firm, the total loss to investors is $1 million. CoinGecko data shows that the market capitalization for OFI was $2.3 million before the alleged exit, but it fell to slightly over $143,000 afterward. This implies that losses were more than $2 million. However, some OFI token owners may have sold as the news broke, which may account for the lower amount being reported by CertiK.
Blockchain data shows that the Ordinals deployer account withdrew over 256 million OFI tokens using the safuToken function. These funds were allegedly sent to a separate Ethereum account through multiple transactions. Blockchain data shows that this address received OFI from multiple addresses before depositing the tokens into Tornado Cash.
The project's Twitter account appears to have been deleted.
Further investigation reveals that after receiving the 256 million OFI, the deployer account made 12 separate transactions swapping OFI for Ether (ETH).
The deployer then transferred over 85.5 ETH to the account ending in “cCF,” at which point it was deposited into Tornado Cash.
The safuToken transfer was executed on a contract labeled “OEB Staking.” This function is listed at the bottom of the file, on lines 1445-1450, and appears to allow the “owner” of the contract to transfer all staked tokens to itself.
The deployer account also made multiple calls to the OFI Staking contract to transfer tokens to itself, each time using a function on lines 305–308 called “ownerRewithdraw.” It appears to allow the owner to withdraw any amount of tokens from the staking contract, as long as the balance in the contract is greater than a variable called “totalOwedValue.”