Original: Medium, original author: Peter Kacherginsky
Translator: Odaily Planet Daily Moni
In early October, the latest blockchain survey contest was held on Anchain. The contest lasted for two weeks. During the period, many players had in-depth knowledge of Ethereum blockchain transactions and smart contract data. In addition to many freely available tools, Anchain also provides participants with a free license for the CISO blockchain analysis platform, making blockchain analysis easier.
In the finals of this competition, BlockThreat.net threat analyst Peter Kacherginsky focused on the “Sushi” Sushiswap founder chef Nomi’s exit scam and the return of funds in September 2020, which was a hot topic in the DeFi industry. In fact, this incident is also the most difficult challenge of this contest. This article will mention some of the analysis tools, techniques, and lessons learned in this blockchain survey contest, and share the investigation of Chef Nomi’s exit scam and its Steps related to the return of funds event in September 2020.
Let’s let the planet (WeChat: o-daily) work with you to uncover the truth of this incident:
On September 5, 2020, Chef Nomi, the creator of “Sushi” Sushiswap, cashed out approximately US$14 million in funds from the agreement, but then returned the money on September 11, 2020. We can use Anchain’s CISO tool to inquire about the accounts involved in related transactions (as shown in the figure below). If you investigate the above transaction, you will find that Chef Nomi transferred 38.000 ETH between the two addresses 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd and 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76.
The figure above shows Anchain CISO tracking the transaction related to the transfer of 38,000 ETH by Chef Nomi on September 11, 2020.
On September 11, 2020, Chef Nomi provided the exact transaction hash in an apology tweet (as shown in the figure below), and implied that all the withdrawn ETH had been returned to the Sushiswap inventory account:
Let me find the address at the beginning of this “0xf942db”: 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd. Etherscan marked the address as-SushiSwap: Deployer. In fact, from the early transaction history, this address has deployed Sushiswap: SUSHI TOKEN contract from August 26, 2020 (as shown in the figure below):
In fact, Chef Nomi is the only person capable of deploying this contract, so we can be sure that the address starting with “0xf942db” has a direct connection with Chef Nomi. Another address starting with “0xf73b31” (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76) is more interesting, because this address is actually the same multi-signature wallet deployed on September 3, 2020 with the address starting with “0xf942db”:
The picture above shows the deployment of a multi-signature contract. Source: Etherscan.
Is it interesting now? ! Yes, Chef Nomi transferred 38,000 ETH from a known personal Ethereum account to the multi-signature wallet they originally created. The advantage of a multi-signature contract is that the wallet owner information can be found. Therefore, we can use Etherscan’s convenient contract reading function to query the owner of the wallet:
We can use the multi-signature getOwners() output function, as shown in the figure above, data source: Etherscan.
As can be seen from the results shown in the screenshot above, there is no address beginning with Chef Nomi “0xf942db”. However, Chef Nomi had previously conducted a transaction to change the wallet ownership from the address beginning with “0xf942db” to 0xd57581d9e42e9032e6f60422fa619b4a4574ba79. In terms of recording, we have to admire Etherscan, which provides us with detailed transaction event logs:
The above picture is the ownership change transaction of a multi-signature wallet, data source: Etherscan.
So the question is, who owns the address beginning with “0xD57581”? If we search for this address on the social media Twitter, we will find that Chef Nomi’s Twitter account @Nomichef had an “interesting” exchange on Twitter with the CEO of cryptocurrency derivatives exchange FTX Exchange @SBF_Alameda:
Based on the above communication records, we know that FTX CEO @SBF_Alameda agreed to take over the Sushiswap project, and published his Ethereum wallet address on his official Twitter account as proof of ownership. After depositing, @SBF_Alameda uses the address starting with “0xD57581” to continue to deposit 5.57 million SUSHI tokens to the multi-signature contract (address starting with “0xf73b31”) he just purchased on Uniswap:
The picture above shows that @SBF_Alameda deposits 5.56 million SUSHI tokens to a multi-signature address through Anchain CISO. Soon thereafter, @SBF_Alameda continued to withdraw 38,000 ETH as compensation. The transaction record is as follows:
It can be seen that the address starting with “0xf73b31” plays a very important role in the entire “sushi” Sushiswap ecosystem, but it is not clear why these transactions have to choose this address. In order to dig up the answer to this question, let’s take another look at how the reward system works on Sushiswap.
The article that first announced the launch of the “Sushi” Sushiswap project on Medium has now been deleted. From the archive page, we found that Chef Nomi mentioned that Sushiswap has a project sustainability/development fund (as shown in the screenshot of the Medium webpage below):
If we look at the source code of the project, we can find the reward execution logic in MasterChef.sol. The following figure is the source code of the SUSHI token reward from the development fund stored on GitHub:
The address information of the development fund is stored in the variable “devaddr” (developer address) and defined in the smart contract constructor during initialization. The following figure is the initial source code of the development fund address stored on GitHub:
According to Medium’s historical articles, the MasterChef contract is deployed on 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd. Let’s take a look at Etherscan. Through the first transaction, we can understand how the contract is set up during deployment:
Unfortunately, the input data is difficult to decrypt, but we can find the constructor initialization data at the point of inputting the data, as shown in the dark area in the following figure:
The value of each constructor variable is “uint256”, which can be easily split into a single parameter:
The figure above is the constructor parameters.
Simply put, these parameters match the source code, so we can get the parameters of devaddr (developer address). As a result, we will find that this address has been explicitly set to the address of Chef Nomi. The picture below is Masterchef on GitHub .sol constructor variables:
Based on the above analysis, we found that the address beginning with “0xf942db” can collect 10% of all minted SUSHI tokens, and Chef Nomi exchanged the SUSHI tokens in this address into ETH on September 5, 2020. However, if we look at the current state of the variable, we will find a completely different address, as circled in the red box in the following figure:
This address corresponds to the 38,000 ETH multi-signature wallet returned by Chef Nomi. In other words, the address starting with “0xf73b31” is actually a new vault account of Sushiswap, which is used to collect the information from Chef Nomi in Twitter posts. The 10% token reward mentioned, and there is only one function to update the devaddr variable in the agreement, as shown in the following figure (source GitHub):
We can quickly find the call to this function by scanning the function call activity provided by Bloxy.info. The following figure shows the query result of Bloxy’s smart contract function call:
As can be seen from the figure below, the dev (address) function has only made one function call, which was executed by Chef Nomi on September 5, 2020, just a few minutes before he dumped SUSHI tokens on Uniswap:
Chef Nomi called the new devaddr parameter at the address beginning with “0xf73b31”, which defines a new inventory account or development fund account.
At this point, we can sort out the schedule of all events and form a more complete report, from the initial creation of the “Sushi” Sushiswap project to the transaction on September 11, 2020 and other related events:
SushiSwap survey report
1. @Nomichef is an anonymous developer. He/she created the SushiSwap DeFi contract on August 26, 2020;
2. The contract contains a developer account controlled by @Nomichef, which collects 10% of all minted SUSHI tokens.
3. On September 5, 2020, @ Nomichef withdrew approximately US$14 million worth of SUSHI tokens from the developer’s account, and exchanged these tokens into 38011 ETH on Uniswap.
4. @Nomichef also set up a new multi-signature contract as a new developer account to collect SUSHI token rewards again.
5. After a strong protest from the community, @Nomichef transferred 38,000 ETH to the previously created multi-signature contract, which is now controlled by @SBF_Alameda, CEO of the crypto derivatives exchange FTX Exchange.
6. @SBF_Alameda deposits 5.57 million SUSHI tokens in turn, and withdraws @Nomichef ETH as compensation.
7. At the time of this analysis, the multi-signature developer account was one of the largest DeFi “giant whale” accounts, valued at approximately US$9 billion.
Blockchain analysis
The following block chain analysis diagram was generated using Anchain CISO to record transactions on the Ethereum blockchain related to this case.
ETH transaction:
SUSHI transaction:
Event timeline
Relevant address information related to this time
1. x6b3595068778dd592e39a122f4f5a5cf09c90fe2 — Sushi Token contract
2. 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd — SushiSwap: MasterChef LP mortgage pool, and also holds the largest liquidity position on Sushiswap.
3. 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd — @NomiChef account / SushiSwap: Deployer / Devshare account (10% of tokens will be collected each time SUSHI tokens are distributed).
4. 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76 — Contract: MultiSigWalletWithDailyLimit / New Devshare account.
5. 0x80c5e6908368cb9db503ba968d7ec5a565bfb389 — Zapper.Fi Uniswap
6. 0xCE84867c3c02B05Dc570D0135103d3fb9cC19433-Uniswap V2
7. 0xD57581D9e42E9032e6f60422fA619b4A4574Ba79 — @SBF_Alameda — FTX CEO
Phase zero: setup
1. 2020–08–26 12:28:07 UTC — @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd) deployed the SUSHI token contract (0x6B3595068778DD592e39A122f4f5a5cF09C90fE2).
2. 2020–08–26 01:00:51 UTC — @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd) deployed the MasterChef LP mortgage pool (0xc2EdaD668740f1aA35E4D8f227fB8E17dcAr888Cd: set to 8f8f227fB8E17dcAr888f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f8f
3. 2020–09–03 01:16:40 UTC — @Nomichef deployed a multi-signature wallet 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76.
Phase 1: Exit
1. UTC 2020–09–05 09:20:10 UTC — @Nomichef initiates a transaction to the Zapper.Fi Uniswap (0x80c5e6908368cb9db503ba968d7ec5a565bfb389) contract:
In this transaction, 5.0249 million SUSHI tokens were used on Uniswap V2 (0xCE84867c3c02B05Dc570D0135103d3fb9cC19433) and Zapper.Fi (0x80C5e6908368CB9db503BA968D7ec5A565BfB3890.1) to open SUSHI-WETH liquidity pair 3886-WETH.
2. 2020–09–05 09:33:19 UTC — @Nomichef changed the devshare account address from 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd to multi-signature wallet 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76:
3. 2020–09–05 11:57:05 UTC—The SUSHI-WETH trading pair has cleared 38011 ETH, and the funds were transferred back to @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd)
Phase 2: Return
1. 2020–09–06 06:29:00 UTC —@Nomichef reached an agreement to return the funds to the multi-signature wallet and transfer control to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79):
2. 2020–09–06 07:32:34 UTC—The owner of the multi-signature wallet is replaced from @Nomichef to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79).
3. 2020–09–11 03:25 UTC—@Nomichef transfers 38,000 ETH back to SUSHI multi-signature wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76).
4. 2020–09–11 03:31:00 PM UTC —@Nomichef apologizes and publicly stated that 38,000 ETH has been transferred to the “Sushi” Sushiswap inventory multi-signature account.
Stage 3: Compensation
1. 01:13:46 AM UTC on September 15, 2020 — @SBF_Alameda began to accumulate 3,969.94 ETH from Bittrex (0xfbb1b73c4f0bda4f67dca266ce6ef42f520fbb98) and another unknown exchange (0x964d9d1a532b5c5daeacbac71d46320deseriesa).
2. At 02:06 AM UTC on September 15, 2020 — @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) completed the exchange of ETH with SUSHI tokens on Uniswap. The last exchange transaction can be found from the link below:
3. 02:15:46 AM UTC on September 15, 2020 — 5.57 million SUSHI tokens will be transferred from the address controlled by @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) to the multi-signature wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76)
4. 4:42 AM UTC on September 15, 2020 — Transfer 38,000 ETH from the multi-signature wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76) to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79).
5. At 5:50 UTC on September 15, 2020-3920,000 ETH will be transferred from @SBF_Alameda to 0x9f9643c8b413b32c3a1270068487f341e5be8bfd through multiple transactions (4000 ETH, 4010 ETH, 4020 ETH…4080 ETH, 2870 ETH). The following link is an example of these transactions:
6. 06:10:03 AM on September 15, 2020 — 1,000,000 SUSHI tokens are transferred from the multi-signature financial account to @SBF_Alameda.
