Source Interpretation: Has the popular Er Jiu Coin really run away?
By interpreting the smart contract source code of the Erjium coin and combining it with the retrospective analysis of on-chain transaction records, we can refute the on-chain operations of the project party and analyze the origins of this case.Author: Shisi Jun
Summary
The Er Jiu coin has arrived, but Er Jiu has run away. I believe you have already been bombarded with such news today. So, did he really run away?
In conclusion, the so-called Er Jiu coin, which was tweeted by a security expert on Twitter and triggered countless media reposts, has not actually run away. On the 31st, he voluntarily relinquished project administrator privileges.
Since we want to debunk rumors, we need evidence. The author will analyze the situation by interpreting the smart contract source code of the Er Jiu coin and combining it with the on-chain transaction records to counter the project's on-chain operations.
First, I declare that I am not part of the project team and do not hold any Er Jiu coins. This article is purely from a technical research perspective.
Background
Tracing back the spread of this news, it began with a tweet from a certain security expert on Twitter, which was then reposted by countless media outlets. The original text is shown in the image below:
From Twitter, see appendix link
From the perspective of spreading rumors, this writing is indeed very realistic, with astonishingly professional descriptions. Moreover, Tornado Cash is indeed a common method for laundering money, but is it really so? How was the loss of $1.3 million calculated?
The project team also responded:
Initially, the project team intended to reward their Twitter followers through an airdrop to increase their follower count.
From Twitter, see appendix link
Looking at it this way, it does seem like they are about to run away.
Analysis
This coin is deployed on the BSC Binance Smart Chain and has undergone open-source verification, with several pieces of evidence available at the following address.
How to use the blockchain explorer can be seen in the previous text:
What Are We Looking at When We Look at Etherscan?
Project team address:
0x469de2c6357666c69156722e83136ad1919a70aa
Er Jiu coin contract address 1
0x6e7ad49f67a9fa80d50f9659c3fc938296d68b58
Er Jiu coin contract address 2
0xe67cff48da0156e7978bc5a9a44d516a48d2a1d6
The author started writing this article at 3 PM on July 31st and found a total of 1686 on-chain transactions for the Er Jiu coin.
In the initial deployment operation, the project team sent themselves 1,000,000,000,000,000 Er Jiu coins.
Initial deployment, from bscscan, see appendix link3
The initialization function during deployment had significant modifications, mostly related to the interaction methods for constructing the transaction pool. However, the core part that generates and transfers assets is shown in the following code snippet, which indicates that whoever deploys it will mint it all at once for themselves.
Note: The constructor is the initialization function of the contract, which is called and executed only once during contract deployment and cannot be executed later.
Giving everything to themselves at the start looks more and more like a sign of a rug pull, no wonder others are spreading rumors about you.
However, issuing a coin requires a trading pool on an exchange for exchanging different currencies to convert into other funds for running away. It is not difficult to issue a coin on the blockchain; you can issue a coin with just 5 lines of code. Not to mention 10 billion tokens, you can even issue tokens with 78 zeros after 10, because the standard ERC20 stores balances as uint256, with a maximum value of 2**256.
So, can this token be directly exchanged?
The source code totals 3000 lines, which not only includes the standard ERC20 and most common supporting plugins but also contains embedded exchange code for connecting to the trading pool.
To run away, there must be some fund interactions:
- Either other addresses trade with the contract
- Or the project team exchanges from the trading pool themselves
The author found that among all the contract transactions of the Er Jiu coin, there was only one transaction with a value of BNB, which injected only 0.126 BNB.
From bscscan, batch download of contract transaction records
Although the Er Jiu coin has already had a large number of transaction transfer records on exchanges (8K records), resulting in over 1600 addresses currently holding Er Jiu coins.
However, to determine whether they have run away, we need to look at how many tokens the project team held at issuance were converted into other tokens through the pool.
Tracking the records of the large-scale token distribution to themselves by the project team, apart from the 1,000,000,000,000,000 they sent to themselves during deployment, there is only the transfer operation in the second row of the above image, where the project team transferred 990,000,000,000,000 of their tokens to the zero address.
Burned 99% of the tokens, from bscscan, see appendix link4
Furthermore, calculating all transactions from the project team's address, it can be seen that the only transaction was the project team exchanging Er Jiu coins for 1.3 BNB through PancakeSwapV2. Note: The current price of BNB against the US dollar is $271 per BNB.
So, did they run away for a few hundred dollars?
From bscscan, batch download of contract transaction records
So why does the claim of $1.3 million exist?
A wild guess might be that this security expert thought the amount transferred out was $1.3 billion? Then thought it was too outrageous and assumed that "B" meant million instead of billion?
Of course, it is true that the tokens in the total amount of the trading pool only account for 0.55% of the total, because the project team burned 99% of the tokens. However, their burning did not modify the totalSupply (which indeed should not happen, as their burning did not call the standard Burn method).
So far, it can indeed be said that the project team has not maliciously profited much from this, and they also questioned the rumor initiators but did not receive a reply.
From Twitter, see appendix link
Relinquishing Management Rights
On the afternoon of the 31st, facing the rampant rumors, the project team made a decisive move by relinquishing their administrator privileges.
As seen in the image above, the last two transaction operations from the project team address involved transferring ownership of the two Er Jiu coin contract addresses to the zero address.
Can this really completely relinquish the new minting rights like the Monkey NFT?
It can indeed.
The method to renounce ownership sets the _owner to the zero address, and as a result, all methods in the contract that are modified by onlyOwner will no longer be callable.
The inaccessible functions are approximately 20 in number, and the most important aspect of clearing administrator privileges is to eliminate the method for minting new tokens. In the entire 3000 lines of code, only _setBalance is the method that dispatches minting privileges. Although it does not have the onlyOwner modifier, it is because it is an internal method that cannot be called externally and can only be called by methods already defined within the contract.
The two functions that correspondingly use it are clearly modified by onlyOwner, so they will no longer be usable in the future.
I further analyzed whether the storage balance variable _balances had any hidden backdoors under different names to bypass it, but I found none. As for whether there are other backdoors, that relies on the expertise of advanced contract auditing experts.
Conclusion
The project team indeed did not run away. Perhaps the rumor was malicious, or perhaps their editor saw the drop and thought the project team transferred 1.3 BNB and assumed it was 1.3 million.
However, on-chain transaction records do not lie, and contract code does not lie. What is defined in the code will not change.
References:
Security expert's post:
https://twitter.com/WhoCares_News/status/1552659993530609665
Project team's reply:
https://twitter.com/SecondUncle_Dao/status/1553621587697381376
Er Jiu coin contract deployment transaction:
https://bscscan.com/tx/0xe51cf68ec605bbbce8f2784109faff98be9272824db8ebf5ad426fcfa1bca395
Project team received 1.3 BNB:
https://bscscan.com/tx/0x5c22ce9f185ad0907c08b60a9d36add51deed9b2b629527c48190bba0b2a5cdb
Project team transferred 1.3 BNB:
https://bscscan.com/tx/0xc3adb38d93c4b11b47f70a8af498dc114582392da80be8c6e7ee6783bd69b637
