This is a battle of robots running in the dark forest of Ethereum, and the real attackers have gained little in comparison.
Original Title: “The Hero of the Dark Forest”
Written by: Leida Xiong, co-founder of DODO
There is a widely circulated article “Ethereum: Dark Forest”. In this article, a “universal trading robot” is introduced . This type of robot will monitor transactions that have been broadcast but have not yet been chained. Once the original transaction is found to be profitable, the same transaction is sent with a higher gas, and the transaction is executed before the original transaction.
If you’ve seen Naruto, it’s like copying the ninja Kakashi, copying the ninjutsu that never cuts and launching it first
The Ethereum world is like a dark forest, full of such robots, your every move is secretly observed. This sounds like a cold and unforgiving story, but what we are going to talk about next is full of warmth and chivalry.
We made a mistake
8 o’clock in the morning on March 9th, Beijing time.
I received a call from the community manager saying that our contract was attacked at 5 am. I immediately called the technical team to check the details.
Then we discovered that the initialization function of the fund pool had loopholes and could be called repeatedly. The attacker uses the flash loan to lend out the real currency, and then replaces the fund pool token pair with the counterfeit currency created by the attacker by re-initializing the contract, thereby bypassing the flash loan fund return check.
This is not a problem with Peckshield, who is responsible for the audit, but before we went online, we made several changes in order to simplify the code logic, and missed a permission control. We made a huge mistake.
Fortunately, this problem only affected part of our V2 fund pool business, and the trading module was not affected. And only the project party is affected, and ordinary users have no loss.
We immediately started to remedy. The technical team rescued all the funds that still had loopholes within 15 minutes (approximately US$8w). Subsequently, the entrance to the pool building was closed on the product, and the operator issued an announcement to notify the user and the project party of the progress of the matter.
At the same time, we counted the losses, about 380w USD worth of USDT, ETH and project tokens. After that, we immediately began to investigate.
Good news from samczsun
8:30 in the morning on March 9th, Beijing time.
Within half an hour after the incident, I received a private message from Samczsun White Hat , saying that there was a mysterious person who did not want to be named. Let’s call it Mr. Cheetah, and “accidentally obtained” a sum of US$189w. Of the stolen funds and entrusted samczsun to inform us that they are willing to return it to us in full.
Who is Mr. Cheetah, how did he obtain some of the stolen funds, and do you know the whereabouts or clues of the remaining stolen funds?
The confusing event process
After analyzing the attack event, we found that a total of two addresses executed the attack, which we call Mr. Hippo (0x368) and Mr. Antelope (0x355) .
Mr. Hippo executed two attacks. Among them, US$20w entered the centralized exchange, and we immediately contacted the exchange to freeze it. And the other 189w US dollars, which coincides with the amount that Mr. Cheetah wants to return to us. So we speculate that Mr. Hippo should be Mr. Cheetah, and he is probably a white hat hacker.
And Mr. Antelope does not seem to be a bad person either. His attack was realized through a “general-purpose trading robot”, which cost up to 90,000gWei gasPrice to send the transaction, and the miner fee for a single transaction was as high as 8ETH. From the clues on the chain Look, it is very likely that Mr. Antelope’s robot automatically robbed the attacker Mr. Hippo’s transaction, and Mr. Antelope may not even know it!
This is another good news for us. If Mr. Antelope can be contacted, the money may also be recovered.
The mystery is getting bigger and bigger
At 21:00 on March 9th, Beijing time.
After waiting for a day, we received a refund (US$189w) from Mr. Cheetah and at the same time received a message: Mr. Cheetah did not recognize that he was Mr. Hippo.
Now the mystery has become bigger, and there are at least three forces in this attack! Moreover, we don’t know how Mr. Cheetah acquired Mr. Hippo’s assets. At that time, the only person we had a chance to make contact was this Mr. Cheetah who was familiar with the laws of the dark forest.
Although Mr. Cheetah wanted to remain anonymous, we communicated our intention to establish direct contact with Mr. Cheetah through samczsun and some friends. After waiting for several hours, I received a private message on telegram.
Little world
1:30 a.m., March 10, Beijing time
I never expected that Mr. Cheetah was an old acquaintance I knew. I knew him in 2018, when I was still doing development work at DDEX. We will discuss the issues of contract development together. After I left DDEX, I lost contact, and he didn’t expect me to become the founding partner of DODO.
Mr. Cheetah told me that Mr. Hippo was the attacker. He transferred the money from the attack to a contract, and this contract had loopholes, and anyone could withdraw the coins. Mr. Hippo was robbed by Mr. Cheetah’s robot while withdrawing the coin, thus “accidentally obtaining” the funds.
What about the remaining stolen funds? When we were discussing how to contact Mr. Antelope, he took the initiative to contact me.
All things
March 10, 3 a.m. Beijing time
Mr. Antelope sent me an email anonymously and expressed his willingness to return the funds (worth about US$120w). I finally breathed a sigh of relief. The two most important parts were returned. Moreover, Mr. Antelope revealed to us a lot of the incidents he had monitored, so that we could finally see the full picture of the incident.
(We did not list very specific txHash here, because our friends want to keep a low profile)
The real attacker is Mr. Hippo.
He executed two attacks, but both were snatched away by Mr. Antelope’s robot.
Mr. Hippo was very frustrated. It took a while to write a contract to bypass Mr. Antelope’s trading robot. This time he succeeded. The funds fell into Mr. Hippo’s contract.
But when Mr. Hippo withdrew from the contract, he was cut off by Mr. Cheetah’s trading robot again! Mr. Antelope and Mr. Cheetah had a gas battle, and Mr. Cheetah won. So far, Mr. Hippo executed 3 attacks, but found nothing, all of them were snatched away by the robots in the dark forest!
Subsequently, Mr. Hippo executed two successful attacks, but the amount was relatively small, and a total of about 20w US dollars in revenue was obtained. We are still tracing the money
In the end, within 24 hours of the attack, we recovered 310w of the stolen US$380w.
Warm dark forest
There are many hunters in the dark forest, but they are not as cold and ruthless as the public imagined. Some hunters are gentle and large herbivores. They are knights in the dark forest. They intercepted the money from hackers and returned them to the victims.
To this day, many people still believe that the digital currency world is full of scammers and hackers, tied to the words illegal transactions, scams, and rights protection. But in fact, there are many different roles in this forest: DeFi project parties, ordinary users, enthusiastic people who eat melons, excellent martial arts arbitrage robots, white hats who are vigilant and neutral in real time, and amateurs who are not necessarily sure to shoot. Hackers, skilled professional hackers…
Together, they formed an ecology, which has its own justice and morality, and each participant more or less played the role of a law enforcement officer. For honest developers, this is a warm dark forest.
Thank you everyone
A difficult one, P Plus support. After being attacked, we have received a lot of help from friends. I am very fortunate that there are so many good people in the Ethereum community. They help when DODO is the most difficult. We pay the highest tribute to the knights and righteous men of the Ethereum community. . These include:
Peckshield, SlowMist, Binance Security Team
samczsun, Tina
1inch , Tokenlon, Binance, Huobi, Etherscan
There are also many friends’ encouragement and comfort, even if it is a competition, stand with us at this critical moment. This makes us feel that there are many warm things hidden under the cold code, the praise of honesty, the yearning for fairness, and the cherishment of credibility.
Extra Story
Before Mr. Antelope returned vETH, his robot fell into a honeypot trap specially designed for him.
https://etherscan.io/tx/0xb081e1aaf4ea7d6b819fc0ffa8230586854130e6b7313fa23a0cc4509b8c3886
This trap used 0.05 ETH as the bait to defraud 324 vETH, which was worth about 50w USD. We don’t know who designed this trap. It may be Mr. Hippo who is not reconciled, or it may be a lively audience.
In the end, Mr. Antelope graciously shared this loss with us.
On the other hand, some researchers are building “portals” in the dark forest, such as the MEV-geth infrastructure of Flashbots ( link ), the MEV research organization, and Tai Chi of the Spark Mine Pool. These “portals” directly connect the sender of the transaction with the mining pool, based on the design of private transactions and optimization of transaction sorting rules, which can prevent transactions from being preempted.
