Recently Oyster Pearl exit scammed using a breach in the smart contract which led to creating 3M tokens from thin air and the CEO exit scammed by selling it on Kucoin. However, the Substratum smart contract also has the capability to [mint tokens out of thin air] (https://etherscan.io/address/0x12480e24eb5bec1a9d4369cab6a80cad3c0a377a#code)
That is not the only thing.
In this video they supposedly did a token burn, but their definition of token burn is to just send tokens to another wallet in which they own the private key. Their smart contract was a copy paste from skincoin which did not have a burn function.
When these two topics were brought up the response was:
a) this is not a security issue since only the dev team has access to it ( that’s absolutely the problem isn’t it?, you shouldn’t even have access to it, this is like saying only Bruno from pearl can do it anyway!)
b) the blockchain is public anyway so you can monitor any transactions. (WTF?)
There is absolutely nothing stopping minting tokens + selling the “burned” tokens in an exit scam. Their contract can be abused in a similar function with PRL , In fact the Substratum contact function is even more desirable to abuse since it doesn’t require the culprit to send any Eth to collect the freshly minted SUB
Proceed with caution.