Details of the Exploit
Ordinals Finance is a project that claimed it would build a protocol for developing decentralized finance (DeFi) applications on Bitcoin. However, this claim was false since the project used Ethereum to create its native $OFI token.
The rugpull happened on the Ethereum chain where funds worth 1,015,192 $USD have been stolen. The deployer withdrew $OFI tokens from the OFIStaking contract using a privileged function and swapped claimed tokens for $WETH before consolidating funds into one account under their control with the newly deployed OEBlock Token also being used in the attack. Two deployer-related EOA addresses were identified as accomplices in draining WETH/OFI UniswapV2 pools using $OFI tokens while transferring 551 $ETH to TornadoCash.
1,015,192 $USD or 551 ETH
List of all the indicators associated with the attack
| Indicator | Type | Chain | Notes |
|---|---|---|---|
| https://etherscan.io/address/0x905bb31444b533c1e770e8a018256775c2fc7f6e | Scammer Address | ||
| (Also OFI Deployer) | Mainnet | Scammer Address | |
| (Also OFI Deployer) | |||
| https://etherscan.io/address/0xa14AdAA48aAAbD897528700c05C9EFc89A591550 | Attacker EOA 1 | Mainnet | OEBlock: Deployer |
| https://etherscan.io/address/0x524570E6427f4264E0f3e0514cE84474eDfa058a | Attacker EOA 2 | Mainnet | ofitreasury.eth |
| https://etherscan.io/address/0x34ea995288446d2dee439b787b51c9c29cd25ccf | Attacker EOA 3 | Mainnet | Attacker EOA 3 involving with Money Laundering |
| https://etherscan.io/token/0x419e35e3515c2fdb652c898bf7a0b21fb20497dc | Ordinals Finance (OFI) Token Contracts | Mainnet | |
Attack Timeline of Block Explorer Tx (color coded red) and Forta Alerts (color coded green)
| DataTime in UTC | Link | Stage | Notes |
|---|---|---|---|
| Feb-19-2023 02:43:35 PM +UTC | https://etherscan.io/tx/0x88471c412716747ca2296fd2b7e0de9735bd8f69824c92d5a90ad6d0fb607b86 | Funding | 24.9 ETH to |
| (Ordinals Finance: Deployer) | |||
| Feb-19-2023 03:29:59 PM +UTC | https://etherscan.io/tx/0xd28c8e81c69dd4c95d3355f7de5727f7a3b1bdf2bc01c3a1e142dd2551d7a00a | Contracts Creation | |
| Feb-20-2023 05:00:11 PM +UTC | https://etherscan.io/tx/0x87ffd4cea3e625d50a83b023d4b5eb79828b7a8c05dbc85567ca5ce6273526c0 | Preparation | OFI And 10 Ether Liquidity To Uniswap V2 |
| Fri, 21 Apr 2023 18:01:11 GMT | https://explorer.forta.network/alert/0xfe45148601821fcd0e72eba27ed63a954f6d152cb48f2c46f528a7909eb2edb2 | Exploitation | |
| Feb-28-2023 06:14:11 PM +UTC | https://etherscan.io/tx/0x9c472a3e7681f98fed9d34b271c54d2dd57310f4582acfdec3467e6cf94682e2 | Exploitation | Create: OFIStaking |
| Apr-24-2023 03:18:23 PM +UTC | https://etherscan.io/tx/0xfb5243a85caf24142fd209bc44cfc9026b42f0f62eb12d11780c468009175e68 | Exploitation | |
| Mon, 24 Apr 2023 15:18:23 GMT | https://explorer.forta.network/alert/0x5cb5a6f8ede96e0ae74434f2a4b683187200c0901bffcd4951d4c9641c6e8748 | Exploitation | Alert: Liquidity Pool Removed |
| Mon, 24 Apr 2023 15:33:36 GMT | https://explorer.forta.network/alert/0xbf44795e4a73b3f9debae12a1e35d91172ddaeed2ace87142e80fdcbba46df5c | Exploitation | Alert: Attack detector identified an EOA with behavior consistent with an attack |
| Apr-24-2023 03:55:35 PM +UTC | https://etherscan.io/tx/0x4820b9fdb85e35870eb4268c67ab9eac08027d4ecd815ed675ce43c82eba0777 | Exploitation | EOA 2 (ofitreasury.eth) |
| 72.4 ETH to EOA 3 | |||
| (0x34ea995288446d2dee439b787b51c9c29cd25ccf) | |||
| Apr-24-2023 03:55:59 PM +UTC | https://etherscan.io/tx/0x50d01f5e553b59d44a6f784c9f3e389bdd34972f4d35fab76bf3a57a6c713294 | Exploitation | (Ordinals Finance: Deployer) |
| 85.5 ETH to EOA 3 (0x34ea995288446d2dee439b787b51c9c29cd25ccf) | |||
| Apr-24-2023 04:03:35 PM +UTC | https://etherscan.io/tx/0xd652e66f40135b61051f8be597071345b10fd4f3e31631db2d4c7b7e694208b6 | Exploitation | EOA 1: |
| (OEBlock: Deployer) | |||
| 384 ETH to EOA 3 | |||
| (0x34ea995288446d2dee439b787b51c9c29cd25ccf) | |||
| Mon, 24 Apr 2023 16:58:23 GMT | https://explorer.forta.network/alert/0xec867f54a5832a43384417b6ffa4051630e1abbcc1bcab9d63ddd2fb620b4f0b | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer100 ETH TO Tornado Cash | |||
| Apr-24-2023 05:02:23 PM +UTC | https://etherscan.io/tx/0x6317827f798fc2998d9087c687949c484c0dde3ceb601333d2de15dda0f7b803 | Money Laundering | Transfer100 ETH TO Tornado Cash |
| Mon, 24 Apr 2023 16:58:47 GMT | https://explorer.forta.network/alert/0x9f83c48d621d91e305539851ee45e0f86a58ebb916a3c3ec0ec3d679446a362a | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer100 ETH TO Tornado Cash | |||
| Apr-24-2023 04:58:47 PM +UTC | https://etherscan.io/tx/0xb191e4d8597253c5a8d9d81d5149fe2f3496e0e97d52b4aa3dbfa3b679fa184e | Money Laundering | Transfer100 ETH TO Tornado Cash |
| Mon, 24 Apr 2023 16:58:59 GMT | https://explorer.forta.network/alert/0x836dbe13402b15f7c78d262afbd5da671f9765f7961f7a13d494c50c4169b955 | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer100 ETH TO Tornado Cash | |||
| Apr-24-2023 04:58:59 PM +UTC | https://etherscan.io/tx/0x2473954264d2db7902db1d70509558fb45645c427a8a3cc270988ee6dffe4761 | Money Laundering | Transfer100 ETH TO Tornado Cash |
| Mon, 24 Apr 2023 17:02:23 GMT | https://explorer.forta.network/alert/0x38f901f672d789b591b207cb1b7937fa4f1659c45bccd023900eee05717041b9 | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer10 ETH TO Tornado Cash | |||
| Apr-24-2023 05:02:23 PM +UTC | https://etherscan.io/tx/0x809d422db6a1a324e0ee3a6a238594911c57f5c3ff4e4e1b8a732160411e6ba0 | Money Laundering | Transfer10 ETH TO Tornado Cash |
| Mon, 24 Apr 2023 17:04:11 GMT | https://explorer.forta.network/alert/0xbda6287bf4129ca0f5627491d97b9c00d740c9354bf0cc82fc7d2a4340616e15 | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer10 ETH TO Tornado Cash | |||
| Apr-24-2023 05:04:11 PM +UTC | https://etherscan.io/tx/0x1e8b1b6123197e3f76eee1c0f1580390795a836197b721ebba6488f993442b9d | Money Laundering | Transfer10 ETH TO Tornado Cash |
| Mon, 24 Apr 2023 17:04:11 GMT | https://explorer.forta.network/alert/0xdce9a9a0c41b5068fbdae776aa79999ca73a3f627b07fab24371675adc8f7d06 | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer10 ETH TO Tornado Cash | |||
| Apr-24-2023 05:04:11 PM +UTC | https://etherscan.io/tx/0xe0c07e0c1c44c9eee151cd6106a272c1698db203b3070d98381b30e3eaa2cbb0 | Money Laundering | Transfer10 ETH TO Tornado Cash |
| Mon, 24 Apr 2023 17:04:11 GMT | https://explorer.forta.network/alert/0xf29db490ed7f155091e0f2edce789198fc674b44d77267eccc447575fd490619 | Money Laundering | [Alert: Possible Money Laundering With Tornado Cash] |
| Transfer10 ETH TO Tornado Cash | |||
| Apr-24-2023 05:04:11 PM +UTC | https://etherscan.io/tx/0x66cfca57b5cbd11d991f4b70bb76565c74545e4fba1c5f8a0444bcdd649c73a2 | Money Laundering | Transfer10 ETH TO Tornado Cash |
| Reference | Relevance |
|---|---|
| Website | https://ordin.finance/ |
| • PeckShieldAlert | https://twitter.com/PeckShieldAlert/status/1650699263171760131 |
| • Token Contract Address | https://etherscan.io/token/0x419e35e3515c2fdb652c898bf7a0b21fb20497dc |
| • Source 1 | https://cryptoslate.com/ordinals-finance-carries-out-1m-exit-scam/ |
| • Source 2 | https://twitter.com/CertiKAlert/status/1650543396514148357 |
| https://twitter.com/ordinalsfinance | |
| • Telegram | https://t.me/OFIC_hannel |
| • |
How we can avoid hard Rugpull: