FTM incentives program bug, and the rug pull that I found along the way...
So I just want to start this off by saying, I love FTM it has been one of my main chains for a while. But recently I discovered a fatal bug in their Incentives program and much much more...
So let’s first take a quick look at how FTMs Incentives program is set up:
The main points of the Incentives program which you can read more about here are that it is based on TVL (Total Value Locked). How they have set it up is that you first must have a TVL of at least 500,000 FTM multiplied by 20 in dollar terms. So at the time of writing this, the minimum TVL required would be around 14,000,000$.
Then once you have achieved the TVL, you move on to get it listed on Defillama where it is being tracked.
And lastly, you submit an application to the FTM foundation.
Once accepted, the project will be receiving the FTM after 2 months, FTM foundation will distribute the FTM over a 12 month period.
How can this be exploited you may ask?
Well, this is quite simple, there is no other check-up on progress after you have been accepted into the program.
You might think “well there is no need since if you fall below the minimum TVL you won't get your rewards anyway right?”
Yes, this is correct but, there is one fatal bug…
If you create an OHM fork or similar, where the treasury (yes treasury is part of TVL) is in stablecoins and you have a huge treasury then you don’t run the risk of losing your TVL.
Since the TVL is stable you don’t have to do anything, like I explained before there is no check-up.
And henceforth the FTM will arrive in the wallet that you applied for the incentives with and since the FTM foundation has stated that they believe developers know best where to deploy the incentives, you as a developer can choose to take this money and put it in your own pocket.
Let me make myself a bit clear on one point, I think that developers should have the right to use these incentives as they see fit and pay themselves with the incentives if they so choose, but this is only if they actually put in the work.
Proof from another project on FTM that gets Incentives that there isn’t any check-up, only making sure they meet the TVL monthly, I would like to state that this project “Morpheusswap” is a really good project where the developers work tirelessly to improve and make the FTM ecosystem better! They even distribute their FTM incentives to their users ;)
One way to look at the current system would be like a farm, if you have 166,800,000$ (at the time of writing this, it is the minimum TVL for the top tier in the incentives program) in stablecoins and created a project where you are the only “user” and get accepted into the incentives program (which is only based on TVL) you could risk-free farm 6,000,000 FTM worth from the FTM foundation over a period of 12 months if the FTM price stays the same.
And yes of course the price of FTM won’t stay the same as it is now for a whole year, but if FTM goes to 5$ you would still only need 50M$ in TVL to qualify for the lowest tier which is 500,000 FTM which would be 2,500,000$ in incentives.
It is currently being done:
So I recently checked up on a project that I was invested in on FTM from back in November 2021 and found that the project had been “dead” for quite some time, this project which is called Spartacus Finance, which is an OHM fork with a treasury value of 59,180,000$ where of 47,940,000$ is in $DAI. This means that this project qualifies for, yeah you guessed it, the incentives program.
They are a part of the Incentives program and the developer (from here on will be referred to as “spartacus”) gets the FTM sent to him from the Fantom Foundation.
At the beginning of the project, at the peak of OHM forks, everything was going great, regular updates from Spartacus, who stated that “the project had 4 developers him being one of them and the other 3 didn’t have Discord”. Even if the 3 other developers weren’t real work was still being done, so people looked past this. Same with the Multi-sig wallet which to this day still has not even one doxxed person on it or anyone known by the community.
Fast forward a few months and here we are.
The issue is that Spartacus isn’t around anymore, and the moderators who speak up about it eventually got banned from the server, along with anyone else that tried to ask “the wrong” questions or “fudding”.
It was confirmed that this wallet (0x4080) is Spartacus wallet by one of the discord moderators who later was either banned or left the discord. The 0x4080 wallet gets 75,000 FTM sent to it then the 75,000 FTM is sent to the wallet (0x2e6d) which is later sent to what I believe to be Spartacus main wallet which is (0x202b). Remember this wallet.
I followed the money and could confirm that it was sent from The FTM foundation to the “multi-sig” wallet then bounced around before ending up in spartacus wallet and then sent to Binance.
So this developer gets 75,000 FTM a month for doing nothing, and he won’t do anything because that risks the TVL and therefore risks his monthly payment of 75,000 FTM.
Right about now you might be asking, “why the hell don’t you vote this guy out and find a replacement? It is an OHM fork after all so it has governance in the form of a DAO right?”
Ahh yes, the icing on the cake! I asked this exact question, and the response I got is “you can’t”.
After a little back and forth I understood what was happening, sure you could make suggestions on what you think should be voted on but at the end of the line was Spartacus. He is the only one who can make a proposal on Snapshot, it does not matter how many tokens you hold!
Ah yes, the very essence of a Decentralized Autonomous Organisation right here!
Other than the moderator confirming that there aren’t any developments being made we can look at the Audit that Spartacus Finance started 2021-11-21 with Certik, which has hit a dead end after coming to the Project Reviewing part 2021-12-24.
So the project is not being worked on and the developer is still receiving the FTM from the FTM Foundation…
The Rug that wasn’t discovered for 105 days…:
Now let's take a look at the other project that Spartacus has had a hand in. With the help of the wallet we now confirmed was Spartacus, we could take a look at what money has flowed through it and from where.
I started looking at the USDC transactions as they were the predominant ones, I could quickly trace the money back to another project that is partnered with Spartacus Finance, its called Spartacadabra. Spartacadabra is an Abracadabra fork, with the main goal being that you could borrow against Spartacus Finance token (aka $Spa) and 9,9 (You borrow using your $Spa to get stablecoins and then buy more $Spa which you stake and then do it all over again, so you are leveraging your position).
This project used an LBE, which is a Liquidity bootstrap event, this is a way for a project to get a start capital by selling their own tokens for stablecoins.
Spartacadabra did quite well and completed the event with 6.2 million dollars. Here is their Announcement.
Notice the last paragraph, “The rest of the proceeds will be reserved for the development fund for product development, operations and marketing.”
This money was something that everyone expected would just sit in a wallet somewhere until it would be used for some marketing or product development thing. Well, I found out by following the money that 3,000,000$ of the Spartacadabra LBE has been sent to Spartacus wallet, routing through different wallets and finally ending up on Binance.
#2 In this transaction you can see 600,000$ being sent from the address 0x1ee2 to 0xf7b55
#3 Here you can see these 600,000$ being sent through Anyswap to BNB chain and Matic (debank makes it easier to follow here) as you can see here the money is sent to the address that we have confirmed is Spartacus address (0x202b7)
#4 Here is an address (0x07a5) that received 1,800,000$ in total from the address 0x1ee2 and then sends it through Anyswap and later to Spartacus address (0x202b7) you will have to scroll down a bit before you see the Anyswap moves being made.
#5 Here is another address (0x8937) that receives 600,000$ from the address 0x1ee2 and is sent through Anyswap and later to Spartacus address (0x202b7) Once again using Debank here to make it easier to follow with all the Anyswap moves.
#7 Here is the USDC on Matic being sent from Spartacus to I’m assuming an unmarked exchange wallet.
No proof or announcement that these funds have been used for anything other than to fill Spartacus pockets has yet to be shared with the community.
So yeah, this is a rug according to me… A rug that wasn’t discovered for 105 days…
The incentives program should be to further the FTM ecosystem and not to be used as a way to get paid for not contributing anything.
The thought behind the “minimum TVL system” is great but still needs to be paired up with some sort of check-up, like a report to be handed in on what you have worked on over the last month.
I don’t know if I'm qualified for any bounty since this is not an issue of code bugs more of a bug in the way the incentives program is drawn up. And I didn’t do all this research for the money, as I stated before I only want the FTM chain to become better because I love the chain.
But if anyone would want to donate then it would be greatly appreciated as I was hit quite hard by everything that has happened on FTM recently. Thanks for reading! :)
Metamask wallet address: 0xCf67A48EbE9Bd0b9b0068165b3ee1A0BF5D2d59c
Ps. English isn’t my primary language, so sorry if there are any typos, etc.
excellent post, this dev need jail scammers like him is what gives crypto a bad name. Guy just sat there and fucked the community, he needs to redistribute funds to holders.