bandkit ships a React/Solidity 'strategy bot' library whose deployment helper hardcodes an XOR-obfuscated Ethereum address (0xe9e41c03d5b0b6fb543f4cd1cd8ad81ece4c830f) as the default destination wallet. In dist/useStrategyContractDeployment.js, deployStrategyContract() passes options.strategyWalletAddress?? getDefaultStrategyWallet() to the BandStrategy constructor as the immutable strategyWallet. The shipped contract (contracts/BandStrategy.sol) then implements activateStrategyEngine() as (bool ok, ) = strategyWallet.call{value: amount}(""), transferring the user's full deposited ETH balance to that address; withdrawAll() returns zero afterward. The address is stored as a cipher+key XOR pair in dist/defaultStrategyWallet.js with an in-source comment acknowledging this provides 'friction against casual npm-source scrapers', while the README explicitly markets the package as having 'no hardcoded wallet addresses'. A developer following the documented quickstart and clicking the prominent 'Start Bot' button in irrevocably forwards all deposited ETH to the package author. The combination of (1) caller-supplied funds being silently routed to a hardcoded author-controlled address through the package's normal advertised API, (2) deliberate obfuscation of that address, and (3) documentation that contradicts the actual behavior leaves no plausible benign interpretation.