Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FN Suspicious funding detector #658

Open
Ivan1905 opened this issue Jun 13, 2024 · 7 comments
Open

FN Suspicious funding detector #658

Ivan1905 opened this issue Jun 13, 2024 · 7 comments
Assignees
Labels
attack detector P0 Priority 0 - Urgent

Comments

@Ivan1905
Copy link
Collaborator

Hi there,

Attaching a few examples.

Case 1: Attacker was: https://bscscan.com/txs?a=0xb6911DEE6a5b1c65Ad1aC11A99AeC09C2Cf83c0e
which was funded by: https://bscscan.com/txs?a=0x06b8cc57c7156875385085d6a6bd59db87d9c72a&p=2 - which was funded by changenow. Suspicious Funding Detector did not fire.

Case 2: attacker was: https://bscscan.com/txs?a=0x6951EB8a4A1DAb360F2230Fb654551335d560ec0
which was funded by: https://bscscan.com/address/0xc35a04a5dce3d31649e97159f53247fb9e1c3bd7#internaltx which was funded by TC. Suspicious Funding Detector did not fire.

Case 3: Attacker was: https://etherscan.io/address/0xFcd4ACBc55DF53fBc4C9D275e3495B490635f113 which was funded by: https://etherscan.io/address/0xc9037673e12e9f240f1015f7e57611489dc4f5bc which was funded by tc. Suspicious Funding Detector did not fire.

@Vxatz
Copy link
Contributor

Vxatz commented Jun 14, 2024

The issue here was the that the bot contains a max value threshold (the reasoning being that an attacker wouldn't need to much funds transferred in order to execute an attack) and in these cases it was exceeded.

The threshold on each chain were the following:

{
  1: 0.07,
  10: 0.07,
  56: 0.5,
  137: 190,
  250: 400,
  42161: 0.07,
  43114: 4,
};

and after discussing with @salort-forta, we decided to 20x the ETH values (bringing them to around $5000) and then updating the rest of the chains threshold to also be around $5000 at the time of the update.

{
  1: 1.4,
  10: 1.4,
  56: 9,
  137: 8300,
  250: 8000,
  42161: 1.4,
  43114: 160,
}

The updated bot has been deployed.

@Ivan1905
Copy link
Collaborator Author

@Vxatz could you confirm that we did have the same issue here?
Attacker: https://etherscan.io/address/0xfcd4acbc55df53fbc4c9d275e3495b490635f113
Funded by: https://etherscan.io/address/0xc9037673e12e9f240f1015f7e57611489dc4f5bc
This last address was funded by TC.

@Vxatz
Copy link
Contributor

Vxatz commented Jun 18, 2024

@Ivan1905, yes it's the same issue. The account was funded with 1 ETH and our max value threshold was 0.07 ETH (It's now 1.4 ETH)

@Ivan1905
Copy link
Collaborator Author

@Vxatz could you confirm we have the same case here?
This attacker: https://bscscan.com/txs?a=0xb6911dee6a5b1c65ad1ac11a99aec09c2cf83c0e&p=3
was funded by: https://bscscan.com/address/0x06b8cc57c7156875385085d6a6bd59db87d9c72a
Which was funded by ChangeNow

@Vxatz
Copy link
Contributor

Vxatz commented Jun 25, 2024

Hi @Ivan1905, this case is different, we didn't get an alert for the funding tx of the attacker because we don't monitor ChangeNOW in the hops bot (I think the decision was made because ChangeNOW is frequently used as a legit funding source)

@Ivan1905
Copy link
Collaborator Author

Ivan1905 commented Jul 1, 2024

Hi @Vxatz this seems to be the same case, right?

https://bscscan.com/tx/0xefe58a14fc0022872262678b358aaae64a26fe2389d09093eb14752ea99415e9

Attacker seems to be funded by another address which was funded by Changenow

@Vxatz
Copy link
Contributor

Vxatz commented Jul 1, 2024

That's right.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
attack detector P0 Priority 0 - Urgent
Projects
None yet
Development

No branches or pull requests

3 participants