Poly Island — Why the Island is covered with a storm of spurn?

Polygon network is rapidly growing and beating its own numbers and records. A week ago, Polygon announced on Twitter that more than 19,000 decentralized applications (dApps) are running on its network. That is a 500% increase from 3,000 dApps in October, per Alchemy data.

Among the 19,000 dApps launched on Polygon, our attention today sticks to one specific, called Poly Island. Checking recent Twitter activities, you couldn’t notice plenty of complaints that the project is rug-pulled. Let’s dive deeper to find the truth of why Poly Island became a notorious experience for plenty of Polygon users.
‍

What is Poly Island?

Poly island is a crypto game built on the Polygon network.

Here’s how the project was announced to the community:

"By playing the unique financial blockchain game Poly Island, you can build your own resort town on a tropical island and earn MATIC crypto! Each building has its own area, number of floors and number of rooms, so some buildings may require more construction materials than others. You can buy bricks with coins or MATIC.

Rent out living spaces to tourists, build amusement parks, entertainment centers, restaurants and hotels and get your profit — coins! The more expensive the building, the more profitable the business! Withdraw the coins you get and instantly receive MATIC cryptocurrency to your wallet.

You can use the coins you get to buy more bricks to continue expanding your business and developing your enterprise, or immediately exchange them for MATIC.

The exchange rate is fixed: 1 MATIC = 250 bricks, 250 coins = 1 MATIC, 0.8 coins = 1 brick"

The project was launched on April 17, 2022. Since that time the community of the project and the number of participants tremendously increased.
By May 10, the contract balance reached 867,287 MATIC tokens.

Players were able to receive rewards for being active participants on the platform. A user was able to buy bricks with MATIC and earn coins, then sell coins and receive MATIC. The main logic of accumulating rewards is that rewards are paid from the deposits of the others users of the system.

The day when the storm started

On May 10, 2022, the contract owner started to withdraw MATIC from the contract balance. (click to check the transaction)
The owner sold 2,000,000,000 coins so he received 80,000 MATIC from the contract balance. Then the part of MATIC was withdrawn via Tornado Cash in the following steps:

1. 26,000 MATIC and then 27,000 MATIC were transferred to the following address 0x6108d7cdd56e189598d7d8acd516452e328980bf
   Transaction 1
   Transaction 2
2. Then tokens were bridged to the Ethereum blockchain
   Transaction 3
3. After that, the funds were sent to Tornado Cash
   Transaction 4

Starting from May 10, 2022 all public channels were deactivated same as the website which was the only place where a user could somehow interact with the contract and withdraw the funds.
‍

What’s happening on the Island today?

The specific of the Poly Island contract is that it has the only external function (a fallback () function). Hence, in order to interact with the contract, a user needs to pass calldata.

We can observe some daily airdrop in the contract. As of now, it is one of the possible ways to withdraw the funds from the contract. And the owners surely know it. As a result, we can spot on how some wallets are systematically draining the contract balance with each and every day. Here are some of addresses:

• 0x1f4AdAd753eB2a08c0Fc7068Fd0559B5cf625DC1
• 0x85Afd5E37a7356A3b18B259DCf4397bc481E4739
• 0x15D9b49C4D412e8A5b2BD00cf040C95F6ed9f516
• 0x883EAe55EdDd6f9bd70694E77666b0E799B9Efb8
• 0xA806A09c794F30df21c7182bEDAF439d27744369

After these addresses withdraw MATIC from the Poly Island Rugpull contract they redirect funds into the following contract: 0xefe712efde6e489b820a78fc43c84c08d9a841cd

The contract code is not verified but it contains a fallback. Hence, once MATIC is received it is transferred to the following address — 0x400ec4be805380686a21b150dd237a618677fe49. Right after that, the funds are being forwarded to KUCOIN WALLET.

Reviewing the contract, we can state that the contract balance is actively decreasing. As of May 31, 2022 around 138,980 MATIC is left on the contract balance (that is around $93,144).

‍

Is there any chance to withdraw funds for the deceived users?

Despite the draining balance, there is still a chance.

The picture above displays what a fallback command handling looks like. Based on the passed command via calldata this or that function is executed:

Step - 1
The first thing that a user should do is to claim uncollected coins same as claiming the coins from the daily airdrop. To do so the next calldata need to be passed to the transaction call 0x01020101.

• “0102” - the command call claim() function and collect airdropped coins for the player;
• “0101" - the command call claim() function and go to the first branch to collect coins.

Step - 2
As for the second step, the user needs to sell collected rewards from the Step 1 and receive MATIC back:

• In calldata 0x050001e7abc0, the command “05” triggers execution of sell() function while 0001e7abc0 is amount of coins to be sold. In this example case, the value 0001e7abc0 is equal to 31960000 coins.

Final word

Unfortunately, from time to time we face such projects like Poly Island which are not fully legit and safe for the final user. We always insist on and recommend reviewing the project's legibility before investing some funds into it.

It is also worth mentioning that Hazecrypto, one of the companies that made the audit for Poly Island, provided a service that players can use to withdraw their locked funds.

‍

To find out more about Vidma and our blockchain security audit services, please check the website - www.vidma.io

‍

‍