Alttown
High Risk
Alt.town is a platform that helps discover and grow the value of virtual celebrities, like VTubers and virtual idols.
2 Issues Detected
1
Backdoor Functions
0x617c1da1cd975a74e94f20dbcfb8cf71277b5ea0:Withdraw.withdraw(address,uint256,uint256) {Withdraw.sol#19-25} has backdoor transfer function that is able to drain all funds in the contract:
- (success) = address(withdrawAddress).call{value: amount}() {Withdraw.sol#22}
Modifiers: onlyOwner
However, the following expressions might block the token from being drained:
- require(bool,string)(nonce == nonces[withdrawAddress],Invalid nonce) prevents token unknown (ref: nonces[withdrawAddress]) [balance: N/A] to be drained.
However, since the contract is not stake-able, the risk is lowered.
0x3790358c55be18e3ecec72ec1f37dfa2dee93a94:Swapper.swap(address,address,address,address,address,uint256,uint256,uint256,uint256,uint256,uint256) {Swapper.sol#14-22} has backdoor transfer function that is able to drain all funds in the contract:
- require(bool,string)(tokenKey.transfer(systemWalletAddress,systemFee),systemFee Error) {Swapper.sol#20}
- require(bool,string)(tokenKey.transfer(altWalletAddress,altFee),altFee Error) {Swapper.sol#21}
Modifiers: onlyOwner
Swapper.preSale(address,address,address,address,address,uint256,uint256,uint256,uint256) {Swapper.sol#24-30} has backdoor transfer function that is able to drain all funds in the contract:
- require(bool,string)(tokenKey.transfer(altWalletAddress,altAmount),altAmount Error) {Swapper.sol#28}
- require(bool,string)(tokenKey.transfer(systemWalletAddress,systemAmount),systemAmount Error) {Swapper.sol#29}
Modifiers: onlyOwner
However, the following expressions might block the token from being drained:
- require(bool,string)(keyAmount == systemAmount + altAmount,keyAmount != systemAmount + altAmount) prevents token unknown (ref: systemAmount + altAmount) [balance: N/A] to be drained.
However, since the contract is not stake-able, the risk is lowered.
- (success) = address(withdrawAddress).call{value: amount}() {Withdraw.sol#22}
Modifiers: onlyOwner
However, the following expressions might block the token from being drained:
- require(bool,string)(nonce == nonces[withdrawAddress],Invalid nonce) prevents token unknown (ref: nonces[withdrawAddress]) [balance: N/A] to be drained.
However, since the contract is not stake-able, the risk is lowered.
0x3790358c55be18e3ecec72ec1f37dfa2dee93a94:Swapper.swap(address,address,address,address,address,uint256,uint256,uint256,uint256,uint256,uint256) {Swapper.sol#14-22} has backdoor transfer function that is able to drain all funds in the contract:
- require(bool,string)(tokenKey.transfer(systemWalletAddress,systemFee),systemFee Error) {Swapper.sol#20}
- require(bool,string)(tokenKey.transfer(altWalletAddress,altFee),altFee Error) {Swapper.sol#21}
Modifiers: onlyOwner
Swapper.preSale(address,address,address,address,address,uint256,uint256,uint256,uint256) {Swapper.sol#24-30} has backdoor transfer function that is able to drain all funds in the contract:
- require(bool,string)(tokenKey.transfer(altWalletAddress,altAmount),altAmount Error) {Swapper.sol#28}
- require(bool,string)(tokenKey.transfer(systemWalletAddress,systemAmount),systemAmount Error) {Swapper.sol#29}
Modifiers: onlyOwner
However, the following expressions might block the token from being drained:
- require(bool,string)(keyAmount == systemAmount + altAmount,keyAmount != systemAmount + altAmount) prevents token unknown (ref: systemAmount + altAmount) [balance: N/A] to be drained.
However, since the contract is not stake-able, the risk is lowered.
2
Centralization Risks
AltTown Deployer Account Compromised on 2025/09/29. The deployer account for $TOWN was compromised. The team’s token allocation included a revoke function to handle resignations or early departures. However, the attacker forcibly halted vesting and exploited this feature to steal tokens. Approximately 237 million TOWN tokens were taken.
This incident does not involve the Alt.town service itself, but rather connected MetaMask wallets. It appears the attacker gained control of wallet permissions. About 50 BNB and 13 million TOWN tokens were stolen.
This incident does not involve the Alt.town service itself, but rather connected MetaMask wallets. It appears the attacker gained control of wallet permissions. About 50 BNB and 13 million TOWN tokens were stolen.
Summary
High Risk
Audit
DappBay Red Alarm
List Time
Sep, 24, 2025
Chain
BNB Smart Chain,opBNB