Vidma Reviews the BSCU5 Project — A Scam to Steal your USDT with Fraudulent use of Audit Security Logos.
A user from our community reached out to us recently asking if the BSCU5 project is a trustworthy project or one to avoid. We did a deep dive to validate its security and trustworthiness; the red flags went up and scam alert alarm bells started to ring.
How BSCU5 can steal your USDT
First of all, if you enter the BSCU5 website, do not connect your wallet (unless you want to hand out your USDT unknowingly).
All the magic making your funds disappear from your account is hidden in the simple “connect wallet” step. After your wallet is connected to the BSC mainnet, and the receive button is pushed, the website requires you to approve USDT token to the address 0x03D775cDd7Cf8a59931553C9734a7e19942082dD
If you approve, you’ve just given permission to transfer USDT tokens out of your wallet at any time.
Hence, a good tip — You should always check the permissions and access you grant to a website via your wallet.
Let’s look at the screenshot above and check the message “https://bscu5.com may access and spend up to this max amount”. The approved amount is high enough to cover any amount of USDT in your wallet. What is the logic of this question and does it sound suspicious? The answer is yes.
There is also a section where it is possible to “withdraw money”. By “withdrawing” you will get no funds, but the scammer will “withdraw” all USDT on your balance.
Once you enter the amount to withdraw and click confirm, the approve function will be triggered once again to the address 0x03D775cDd7Cf8a59931553C9734a7e19942082dD. When this happens, your beloved USDT will slip from your wallet and into the wallet of a scammer.
The same scheme is applied for the Ethereum mainnet (but with the different address — 0xaf0d9c7d5ad2ae535017842038a2ad07eb16a150).
BSCU5 indicates they are “audited” — Is this really so?
This project indicates they’ve been audited but this might not be true. Unfortunately, many scam companies place the logo of a credible auditing firm on the website and write the announcement that they passed the security audit. But the truth is, an audit has never happened. Have you seen the report on the website or just the text and logo of the audit firm?
In a previous article, we found a project which was “audited” by Slither. But Slither is not an auditing firm, they provide a Solidity static analysis framework. This is a tool, they are not an auditing company.
You can check the article about Drip Network scam here — https://medium.com/@vidma_security/drip-network-what-is-hiding-deeply-behind-the-project-and-why-all-holders-funds-may-be-lost-4fb26effba1c
So, who is behind the BSCU5 security audit? On the website is a list of audits conducted by a few firms. No reports, just logos of Slowmist, Certik, and FairyProof. Good well-known names, right? In fact, these companies did not do an audit for the BSCU5 project, and there are no official announcements or reports provided by the auditing teams. Moreover, Certik confirmed on their Twitter account that BSCU5 wasn’t their audit client.
Hence, here’s another tip — The true detailed audit report is commonly shared publicly and mentioned on the audit company social media pages or website. Don’t trust all projects that say they have passed the security audit. Sometimes seeing a logo is a piece of fake information that manipulates you into subconsciously trusting that an audit has been done.
Buyer Beware and look for Red Flags
As a new industry still, around for less than 15 years since 2008, the Crypto community has plenty of untoward newcomers trying their luck with new projects that make unachievable promises or conduct outright fraudulent or scam activities. After tons of information on the shady reputation of some projects, there are still people who still tend to miss it or are not convinced. Money is still being stolen by the scam teams and the cycle is repeated.
The only solution left is to educate yourself, do a bit of research, and look for red flags in order to prevent scams and fund losses. Try to do business with only credible projects and people. Always check the additional sources of information if in doubt such as Audit logos as well as proper audit report information and announcements before putting your funds on the line. Mr. Google can be your buddy that will help you to find the relative information and confirm credibility before you will make crypto investments :)