Hackers Are Targeting Abandoned Meme Tokens in Almost-victimless Crime


An opportunistic hacker has been draining the remaining liquidity from abandoned token pools in what some have called an almost-victimless exploit.

The attacker uses flash loans from DeFi protocol Balancer to borrow a significant amount of money. They then redirect those funds to drive up the volume of a chosen token’s pool.

Once the volume of the pool increases, the attacker drains the remaining liquidity from the pool and returns the money it borrowed from the flash loan.

These attacks were first spotted by Giorgi Khazarade, the CEO of Aurox, when he was testing to find bugs and data inconsistencies in Aurox’s screener functionality.

“I noticed one token (CATOSHI) had nearly $2M in volume but $0 in liquidity, which is extremely odd,” Khazarade told Blockworks. “I thought it was a bug but when looking more into it, I found the stats our platform displayed were correct.”

In the CATOSHI exploit noted by Khazarade, the hacker borrowed an estimated $184 million in wETH through a flash loan, using approximately $1 million from that loan to purchase CATOSHI tokens.

According to a CATOSHI white paper that was published in 2022, the token had launched on Ethereum with an initial supply of 21 million. This amount was later burnt down to 11 million.

CATOSHI’s tokenomics were a reworked version of reflect finance’s (RFI) frictionless yield generation code. It included a 6% tax, where 3% of it was redistributed to holders, 2% was burnt and 1% was directed to a charity wallet.

This means that token holders would be given a 3% redistribution reward whenever anyone bought or sold the CATOSHI token.

After purchasing over 166K in CATS, the attacker bridged the tokens onto the BNB chain. There they sold the tokens for roughly 10 BNB, leaving them with a total profit of $3,000-$4,000. The remaining funds were returned to pay back their flash loan.

Khazarade noted that another token, IMMORTAN, also saw a similar fate.

“I noticed a second token (IMMORTAN) in our Screener with similar stats,” Khazarade said. “Large volume and just a couple hundred dollars in liquidity. A similar attack using flash loans had been launched against that token multiple times over the past week to drain the liquidity pool of about $2-3k.”

Similar to CATOSHI, IMMORTAN also had redistribution awards. According to its white paper published in 2021, a 10% tax was applied to buyers and sellers, with 8% of that tax being redistributed to holders and 2% given to the development team for operational purposes.

“In this instance though, he executed the attack a lot. In fact, he’s still doing it even though there’s ~$100 in liquidity left. He’s basically trying to drain every penny of it,” Khazarade said. “Each attack only yielded a small amount of profit, and by my estimates, he made a combined ~$3k.”

CATOSHI and IMMORTAN are not the only tokens that have had their pools completely drained. More recently, Khazarade noted that the attacker extracted $4,000 in ETH from CATS V3. A project named ​​CRAB has also seen $2,000 in ETH cleared from its pools.

Just yesterday, the attacker used a similar method to extract WEEB of almost $30,000 in ETH liquidity.

“I’m not 100% certain but it seems like [the attacker] routinely deployed malicious smart contracts that abuse a variety of tokens and drain their liquidities,” Khazarade said.

“Some seem to be specialized which only attack one individual token, whereas other contracts can do it for various tokens…probably because the tokens use some template code with the same bug.”