$FACT: A Token Sale Gone Wrong
*Disclaimer: This article has been updated as of 3:30 PM EST to include Wing Rider’s public and private responses to the reporting after its publication. Wing Riders did not respond to requests for comment prior to its publication, but answered minutes after it was made available to the public. The Cardano Times attempted to contact their team via email days ago, via direct message on Twitter yesterday, and made our ongoing investigation public to allow them to respond. To be clear, their response corrborates every single aspect of the report they addressed; however, they failed to address the concern that Vacuum Labs (their parent company) conducted the audit for the Launchpad before its release.*
In a recent cryptocurrency token launch on the Cardano blockchain for Orcfax’s FACT token, a series of controversies, exploits, and technical challenges have left the community with far more questions than answers. The event, conducted by decentralized exchange Wing Riders (WR) on their launchpad, has raised concerns about the transparency, fairness, and the integrity of the launchpad and the token sale process.
Technical Challenges and Frustrated Participants
The FACT token launch, scheduled for September 8, 2023, was eagerly anticipated by the Cardano community. However, shortly before the scheduled launch time, technical issues and user exploits began to immediately plague the event. Many participants reported difficulties connecting their wallets to the launchpad’s web interface, causing frustration and anxiety among users.
Wing Rider’s initial explanation for the technical challenges cited server overload and a potential attack as the root causes. Currently, there is no evidence to suggest a malicious on the Wing Riders launchpad occurred in any manner whatsoever; but there is substantial evidence to corroborate the reports circulating that there were a plethora of technical issues that caused the disastrous token sale launch. In their initial report, they mentioned that server capacity was increased multiple times shortly before the launch, eventually allowing most participants to connect their wallets. However, this delay in access may have provided an unintended advantage to users with advanced technical skills who could navigate the congestion.
“Per our initial analysis, either more participants were trying to connect at once that the infrastructure scaling setup was set to handle, or a form of attack contributed. This caused a short-time overload of the UI. So far what is known is that the server infrastructure upscaling was set with tight limits to prevent infrastructure attacks, but this also could have resulted in many participants being unable to enter the launchpad page and connect their wallets.” — The Official Wing Riders Team’s Statement
However, Orcfax’s initial public statement differs quite significantly in underscoring the reasoning for the disastrous token sale; blaming Wing Rider’s lack of preparation for the user activity and their lack of a proper response in increasing server resources during the launch. Van Garderen’s statements breaking down what went wrong seem to directly contradict the claims made by the Wing Riders team:
“In short, the Wingriders Launchpad webserver was not ready for the amount of traffic it had to handle at the launch. Perhaps a project with only 4600 Twitter followers and 2000 Discord users did not deserve a beefed up web server front-end. Either way, by the time the Wingriders team increased server resources we were already 30 minutes into the launchpad with the maximum raise achieved during that time.” — Orcfax Oracle CEO Peter Van Garderen
In an additional statement released by Van Garderen on September 9th, he walked back on some of the statements he made regarding Wing Rider’s lack of preparation and a proper response to the technical issues; stating that the launchpad simply “had congestion problems (not unlike an entire city logging on to buy a popular concert ticket).” However, Van Garderen did not explicitly dispute his initial statements; he merely stated that through on-chain data analysis conducted by Wing Riders, their teams allegedly found no evidence of “predominant bot or whale activity.”
“Since my initial response yesterday I have had a chance to meet and debrief with the Orcfax and Wingrider’s team. Wingrider’s data analysis reveals that, while the Launchpad UI had congestion problems (not unlike an entire city logging on to buy a popular concert ticket), all transactions were processed deterministically as designed and there is no evidence of predominant bot or whale activity. A more detailed investigation by Xerberus.io will use on-chain data to assess this analysis. In the meanwhile we want to thank all interested parties for their support and this clear signal (while a crowded one) that there is interest and belief in what Orcfax is about to deploy and implement.” — Orcfax Oracle CEO Peter Van Garderen
The experience overall left many users reportedly frustrated and disappointed at the process, with both Wing Riders and Orcfax Oracles publicly apologizing for the disastrous launch process. Wing Riders expressed their “sincere apologies for the less-than-ideal user experience,” and Orcfax’s CEO apologized “for the frustration and anxiety this caused to users that wanted to participate in the launchpad” and took full responsibility for making the decision to use Wing Riders for their launch.
Below is the official apology from the Wing Riders team:
“We want to take a moment to express our sincere apologies for the less-than-ideal user experience many of you encountered during the recent Orcfax Fact Token Launch. We understand that the launch experience fell short of your expectations, and we take full responsibility for any inconvenience, frustration, or disappointment this may have caused. We deeply value your support and commitment to our project, and we are truly sorry for any negative experiences you may have had.” — The Official Wing Riders Team’s Statement
Below is the official apology from Orcfax’s CEO Peter Van Garderen:
“Unfortunately the launchpad web interface began glitching for most users right at launch time and it was impossible for most of our community to even connect their wallets. As Orcfax CEO, I would like to formally apologize for the frustration and anxiety this caused to users that wanted to participate in the launchpad. I would also like to make it clear that all of the business decisions around using the Wingriders Launchpad platform for our FACT token launch were discussed as a team within Orcfax and always with my final approval.”
— Orcfax Oracle CEO Peter Van Garderen
Controversy Surrounding Time Manipulation Exploit
Another particularly contentious issue that was largely ignored in both statements was the confirmed reports that some users manipulated the clocks on their local devices to build transactions before the official launch time. Wing Riders had initially claimed that wallets could not submit transactions with validity start times in the future. However, according to testimony from multiple sources; this claim was disputed, suggesting that wallets could indeed submit such transactions and Wing Rider’s denial of such activity was misleading.
Participants reportedly exploited this token sale by setting their local device clocks forward to build transactions before the public launch, and then submitting them as soon as the correct time was reached. This strategy allowed them to purchase tokens before the official launch time, potentially giving them an unfair advantage.
In response to our reporting, Wing Riders both claimed users that utilized this exploit were not given a head start and admitted that those users would have gotten a head start of “<10 seconds.” It is unclear why they made the claim participants would not have gained a time advantage over users, yet admitted our reporting was correct.
In terms of local machine timestamp manipulation issue: First and foremost, it is not an exploit. This incorrectly used term is being mentioned by community members who believe that by changing the local device time and seeing the UI change, they presume that a participant got into the launch or is ahead of others. The only thing such a participant is ahead in, is a head start in <10 seconds of using the validity slider and typing in the contribution number, accepting T&Cs, and prepping their wallet. So building the transaction in the UI, but anyway not being able to successfully submit it before the start time. — Wing Riders’ Respone To Our Reporting
As shown above, they both claim the presumption “that a participant got into the launch or is ahead of others” by utilizing the exploit is false; yet immediately after admit they would have at least been able to get a head start of around 10 seconds. It’s unclear what they meant by this oxymoron. The team also admitted the exploit allowed participants to build and sign the transaction prior to the launch, allowing them to simply wait to “succesffully submit it before the start time.” It is unclear why they called our reporting “FUD” given they admitted it was true.
Their response was also misleading, claiming the “local machine timestamp manipulation issue” is not an exploit. However, by definition; an exploit, in the context of computer security and technology, refers to the act of taking advantage of vulnerabilities, weaknesses, or flaws in a system, software, or hardware to gain unauthorized access, manipulate, or disrupt its normal operation.
Users who utilized the “local machine timestamp manipulation issue” were able to take advantage of a flaw in Wing Rider’s launchpad that they refused to address prior to the launch. This gained them unauthorized access to build their transactions much earlier. Users who exploited this flaw in the launchpad were also given an extreme advantage over those who waited to sign their transactions at 8:00, given Wing Riders had actually designed the smart contract to begin accepting transactions at 7:59 UTC. Those who had created a transaction before the public launch were able to immediately sign the transaction at 7:59 UTC, allowing them to essentially be first in line. Users were able to either use this exploit or (if they had “advanced knowledge”) simply interact directly with the smart contract at 7:59 UTC.
Wing Riders disputed our reporting by showcasing a video of the exploit in action, attempting to submit the transaction before the test token’s official launch as a way to disprove the exploit’s existence. See it below:
This video is extremely misleading, because The Cardano Times never stated users were able to submit their transactions prior to the launch, rather they were able to build and sign transactions before the launch as their video clearly shows. This was a feature of the launchpad they were made aware of and failed to disclose it to the general public, allowing those who discovered it to gain an advantage over everybody else.
By definition, although Wing Riders clearly argues otherwise; this vulnerability in the launchpad was an exploit that people utilized to gain an advantage over other users, which Wing Riders admitted was at least “<10” seconds. Furthermore, given the fact that Wing Riders allowed transactions to be submitted at 7:59 PM UTC; those who were utilizing the exploit and awaiting the public launch to finally submit their transactions had at most an additional minute over other users waiting for 8:00 PM UTC. However, they stated this was a different issue and failed to address how it would provide the exploiters an even greater advantage over others. They also admitted these users would typically have had the same advantage as those who simply interacted with the smart contract directly, but refused to showcase how many users in the sale utilized both of these flaws.
We addressed the concerns raised about a potential advantage gained by users with advanced technical skills during the initial period of congestion in our launchpad. We wish to clarify that, as of now, there is no substantiated evidence to suggest a SIGNIFICANT involvement or undue advantage taken by users with advanced technical skills. — Wing Riders’ Respone To Our Reporting
As shown above, their team admits users did gain an advantage; but highlight it was not a majority of users, misleading the public immensely in an attempt to classify our report as “FUD.” Their team admits to virtually every single point outlined in our report except for their auditing by their parent company, which they have refused to address. Furthermore, we have verifiable proof this exploit was utilized and allowed people to gain an advantage over everybody else participating.
Brave Dogs, a Cardano-based NFT project; admitted to utilizing this exploit to purchase $FACT with a portion of their mint funds, with one of their team members displaying sincere shock that Wing Riders essentially allowed this to occur.
Furthermore, Woulvi confirmed that Wing Riders was made aware of this exploit at least two days prior to the token sale; but visibly took no action against preventing this exact situation from occurring. He also stated his team was made aware of this exploit just thirty minutes before the mint.
Additionally, BisonCoin; a prominent member in the Cardano community, also confirmed users were able to utilize this exploit for the $FACT token launch in response to a shocked community member who could not understand how a transaction of over 200,000 $ADA was submitted before the official public launch time.
Moreover, Wing Riders and Orcfax Oracle have both been misleading in their claims that no “predominant bot or whale activity” occured whatsoever given they refuse to acknowledge the exploit that was made available to those with advanced technical knowledge on token mints.
In fact, Wing Riders outright denied the reports that the launchpad was exploited to allow users to build transactions far before the official launch by setting the time back on their devices; notably in a misleading manner.
Due to the inherent technical constraints of wallets, which are unable to sign transactions with validity start time in the future or even within the short timeframe in the past (wallets require to have the most recent block from the blockchain to be after transaction validity start), the Smart Contracts were configured to accept the transactions initiated after 7:59:00 UTC (1 minute before the actual launch start time displayed in the UI), to ensure a smooth participant experience. This approach was necessary, as otherwise transactions created in the UI during the first minute of Launch would very likely be declined, causing poor UX. We opted for this strategy to favor the participant experience, allowing for the validation of all transactions initiated from 7:59 UTC onwards, including those signed at the 8:00 UTC mark. — The Official Wing Riders Team’s Statement
According to an anonymous source familiar with the technology utilized in the Wing Riders launchpad, this statement is extremely misleading. It is a fact that wallets are not able to submit transactions until the official launch time, but they are also able to build and sign transactions by setting their time forward on their local devices and simply have to wait to submit the transaction when the launch occurs. Furthermore, users were able to submit transactions before 8:00 UTC due to the fact the launch technically began at 7:59 UTC (as admitted by Wing Riders above).
Overall, the Wing Riders team is confirmed to have known about this exploit days before the token sale occurred but either refused or failed to provide a solution to prevent the very situation many users found themselves in. It is unclear if Orcfax’s team were unaware of this exploit, but during our conversation with their team; they were relatively unaware of what truly occurred beyond what Wing Riders has reported, stating that they “don’t have more information than is published by WR.”
From what The Cardano Times has gathered, the Orcfax team was truly shocked by what transpired and were unaware such an event could occur. This is also largely due to the fact that the Wing Riders Launchpad had never been utilized by a project before them at such a scale, so it would have been rather difficult to anticipate such a situation to occur.
However, the exploit has been confirmed to be utilized by several individuals; which undoubtedly gave them an advantage over users who tried to participate in the manner they were supposed to. Wing Riders knew about it beforehand and neglected to respond properly to it.
*Wing Riders did not respond to requests for comment on the situation until after our report was published. They responded minutes after.*
Security Concerns and Audit Revelations
Additionally, one of the central issues that has come to light surrounding the $FACT token sale is the lack of transparency regarding the audit conducted on the launchpad before it went live. This was notably one of the key selling points in their article discussing the features of the Wing Riders Launchpad, reassuring users it was secure and properly audited.
Audits typically play a pivotal role in assuring the cryptocurrency community of the integrity and security of blockchain projects. They provide a critical layer of transparency and validation, offering users and investors the confidence that a project’s smart contracts and platforms have undergone rigorous testing and scrutiny by independent experts. A transparent and unbiased audit process is essential in upholding trust within the cryptocurrency space.
Initially, Wing Riders had assured participants that they had conducted a proper audit of the launchpad to ensure its security and reliability. However, what emerged later was a revelation that raised significant questions about the nature of this audit given they had not disclosed its findings to the general public.
The key concern was that Wing Riders did not disclose that the audit was conducted by Vacuum Labs, (which is essentially) their parent company. The CEO of Wing Riders is actually an employee of Vacuum Labs (as we discovered in a report we did earlier on Wing Riders engaging in malicious activities, they have since removed the Team names on the Vacuum Labs website after our report’s publishing). More importantly, per a number of anonymous sources who requested their identities and occupations not be disclosed; approximately 50% of Wing Riders employees are either current or former Vacuum Labs employees.
This was discovered by a Cardano investigative journalist going under the pseudonym Dubbleu_43, Ilkka, and several anonymous sources who came forward to The Cardano Times to corroborate the reporting.
This omission sparked concerns about potential conflicts of interest and the impartiality of the audit process. Audits are typically expected to be conducted by independent third-party entities to provide an objective assessment of a platform’s security and functionality to reassure users the application is secure, efficient, and working properly.
The lack of transparency regarding Vacuum Labs’ identity as the auditing entity and its close connection to Wing Riders has created doubts about the credibility of the audit findings. Participants and investors in the token sale may have reasonably expected an independent assessment of the launchpad’s security and functionality, especially given the audit was marketed to them in exactly that manner. Even if the $FACT launch had run successfully without issue, there are still extreme concerns being raised by the community regarding Wing Rider’s apparent deception in misleading the community with an extremely biased audit that ultimately served as nothing more than a marketing tool rather than a legitimate review.
After this report’s initial publishing, Wing Riders issued a response to it; failing to address any of the concerns raised around their audit. The Cardano Times has requested they release the report and finally confirm their parent company is responsible for conducting the biased audit.
*Wing Riders did not respond to or address requests for comment on the auditing of the launchpad by their parent company after our report’s publication. We ask they release the audit report by their parent company on the launchpad.*
Breaking Down The Statistics Of The $FACT Launch
In the wake of the Orcfax FACT token launch, orchestrated by Wing Riders (WR) on Sep 8, 08:00 UTC, an extensive examination of the event’s data has revealed insight into the participant dynamics. However, it’s vital to note that these statistics originate from the Wing Riders team alone and await the crucial seal of validation from an independent source (Xerberus has announced they will be conducting an investigation in the next week).
Delving into the data reveals the following:
While a total of 604 participants contributed a substantial 10 million ADA, 142 managed to secure allocations, with 141 receiving full allocations, and one participant obtaining a partial share. 14 wallets that withdrew contributions, constituted less than 10% of successful participants or under 2% of all participants.
A closer look at the launch’s timeline unveils intriguing patterns. During the initial 15 minutes when the launchpad’s UI faced glitches, a mere 31 participants managed to contribute approximately 33% of the total token allocation. Of these, just six wallets committed over 100,000 ADA each, primarily through the UI. The Wing Riders team did not disclose which of these wallets that got in early interacted with the smart contract directly or utilized the exploit they had been made aware of days ago. It is also important to note they initially gave a contradictory statistic stating approximately “26+” wallets participated in the first 15 minutes. It is unclear why they chose to provide this misleading statistic.
Although the team stated they found no “whale” activity, they did admit in this report that whale activity occurred; stating “whales did not dominate, nor did they grab too much too early of the allocation,” with 6 individuals who got in early purchasing well over 100,000 ADA worth of $FACT each.
Furthermore, three of the top 5 contributors to the token launch submitted their transactions within the initial 15-minute window. These wallets contributed as follows: 300k ADA at the time 8:01, 299k ADA at the time 8:06, and 282k ADA at the time 8:04. The top five contributors collectively accounted for 1,632,000 ADA. Generally, these wallets with over 250,000 ADA purchases each would be considered a whale; it is unclear why the Wing Riders team has stated otherwise.
Following an infrastructure upscaling by Wing Riders to handle the user activity, a curious lull prevailed between 8:15 and 8:20 UTC, with no contributions recorded, either via the UI or direct to smart contracts. However, when the infrastructure upgrade took hold, participants who had previously grappled with UI issues swiftly entered their contributions.
You can view the overall spread of wallet commits in the table below:
Wing Riders also stated “it can be concluded with a very high probability that a very low number of advanced users (directly sending commitments to SCs) participated in the launchpad, if any. It was dominated by participants accessing through the UI.” While this is factually correct, it fails to address the concern that 33% of the token allocation went to just 31 wallets who were able to either navigate the chaos in the first 15 minutes, utilize the exploit, or interact with the smart contract directly.
Furthermore, as they concluded the report; they hypothesized given the data that the $FACT launch would have sold out about “15–20” minutes earlier if they had not experienced any UI issues. However, they did state it would have play out relatively the same way in terms of overall spread of wallet commits.
This may be possible, but it fails to address the concern that they ignored the exploit that would have allowed those with advanced technical knowledge to get in early on the sale. Wing Riders admitted in the initial report that users with “advanced technical knowledge” may have been capable of gaining an “advantage” over other people during the sale by either utilizing the exploit the team had been made aware of before the launch or by simply interacting with the smart contract directly.
The team displayed statistics that seem to properly represent the experience of users and testimonies from users who utilized the exploit, but purposefully framed the data in a way that consistently failed to acknowledge the true concerns the community has.
*Wing Riders did not respond to requests for comment on the situation, failing to admit that dominant whale activity did occur despite clear evidence to the contrary per their own on-chain analysis of the debacle.*
What’s Next
Currently, the community awaits with bated breath the impending on-chain analysis by Xerberus to validate these statistics provided by Wing Riders independently. Wing Riders has recognized the frustrations (ableit minimally) endured by participants and pledged support to Orcfax, Xerberus, and its community in addressing the launch’s challenges. In an updated response after our reporting, Wing Riders has stated that this disaster could have been mitigated had Orcfax made the decision to use an NFT-tier system to allow higher participants. They claimed that Orcfax perhaps chose not to out of the laziness of their team, the legal implications for their company, and potential committments to their community. Here’s what they had to say:
No anticipated public sale in crypto will ever meet all demands. Unfortunately, there are always some people left out. Although a project could achieve a higher number of successful participants, their decision not to use tiers controlled by NFTs that allow an enforceable max cap per wallet did make this harder to achieve. Reasons for not going for the NFT tiers could be the additional workload, time constraints, legal considerations, and possible commitment to not setting any hurdles of any kind to their project community. — Wing Riders’ Respone To Our Reporting
It’s unclear why have now addressed the claim that Orcfax is primarily responsible for this disastrous token sale after our reporting given the failed to mention this whatsoever in their public reports.
Independent verification will undoubtedly shed further light on this shocking event, but is clear that Wing Riders failed to address the exploit properly beforehand and provide proper resources for the launch given the high user activity. Whales committed over one million ADA worth of $FACT, majority of them during the initial release; and an unaddressed exploit allowed an unknown number of wallets to gain an advantage over good-faith actors during the launch.
Although Orcfax made the unfortunate decision to utilize the launchpad during its very own release, there is no evidence to suggest the team advocated for or knew about what was to come during the launch. They did have concerns raised by the community about potential outcomes, but there was no concrete documented concerns raised to the team about the ability to interact with the smart contract directly or the exploit.
The Cardano Times will update you on the story should we learn more after Xerberus’ analysis is released to the general public. For now, this is what happened to Orcfax’s $FACT token launch.
*Disclaimer: Wing Riders did not respond to requests for comment on the situation until after our reporting was published. Orcfax was unable to provide additional information beyond Wing Rider’s report, consistently referring to both team’s public statements. The team also acknowledged the “rumors” of an exploit utilized during the $FACT launch, but stated their team heard it occurred in Discord which they claim to not monitor during this process.*
Credits
There were a number of contributors to The Cardano Time’s investigation on this situation, most of whom requested their identities not be exposed or to be credited for their work. However, the most notable contributor of them all was Dubbleu_43; who provided immense support in conducting this investigation. We appreciate all their work and aid in our investigation, and their efforts truly deserve praise. Thank you all.