Open in app

Sign in

Write

Sign in

Timeline

Sisyphus
4 min readOct 31, 2021

--

Between Tuesday night and Wednesday afternoon EST, initial idea for OHM/SHIB fork with faster rebase is generated in PebbleDAO.

Beerus dumped ~95 ETH of PEBBLE the day before the rug (funds appear to go to buying SHIB and then to purchasing ANKH) (https://etherscan.io/tx/0x447f45860f66004afcc180e74be0e7eef9d04acdc40e3a709de9277ea932658f)

Wednesday 10/27 4 PM EST: Anubis TG is formed with 6 people in it from PebbleDAO

  • Aurelius/Caesar0x planned to work on initial contract (forking OHM) for 2 days but with no further involvement in the project
  • ConvexDegen/Tanuki worked on front-end/website setup, forking Wonderland FE. Plan was they would also manage solidity after the initial 1–2 day lift.
  • Beerus (AKA Wrath/M1/Eth) managing discord and twitter comms + hiring mods (incl. “Billie from Hold” who was added to chat by Beerus)
  • Sisyphus to handle public face and helping pull DAO members together

Over course of Wednesday initial ideation+front end and contract work is done. Plan is to do LBP launch the next day. Rather than doing a whitelist/presale of any kind — plan was to portion out a % of supply to PebbleDAO (which is why 7.5% of supply sent to PebbleDAO multisig. By late Wednesday night EST, had setup Discord/Twitter, announcement had been put out that LBP would be tomorrow on Copper.

Thursday 10/28 9:47 AM EST: ANKH contract deployed on mainnet and supply placed into a multisig

Between 10:00 and 11:20 AM EST DAO members agree to have Beerus deploy the LBP as other DAO members are either unavailable to do so or do not want responsibility over the LBP. DAO members send a total of 310 ETH from new wallets to the LBP launch wallet.

  • This was the critical mistake. This should have been done from the original multisig wallet.

Thursday 10/28 11:32 AM EST: Multisig sends 522,727,065 ANKH to hot wallet under Beerus’s control for him to deploy LBP later on

  • Wallet: 0x872254d530Ae8983628cb1eAafC51F78D78c86D9 aka “AnubisDAO Liquidity Rug 1”

Thursday 10/28 12:28 PM EST: Copper LBP is created

Thursday 10/28 12:37 PM EST: Trading is enabled on the Copper LBP pool

Thursday 10/28 12:49 PM EST: Public announcement of Copper LBP is made in the Discord

  • Over next couple hours Sisyphus/others spend time on damage control (for the 12 minute delay between pool trading enabled and announcement in Discord) and continuing to code front-end plus back-end

Thursday 10/28 6 PM EST: Crash was added to working group chat (who was working on similar OHM/SHIB fork in parallel)

Next 14 hours are spent setting up website + testing contracts + writing gitbook. LBP is ongoing in background

Thursday 10/28 11:55 PM EST: Plan solidified — once LBP closes, launch liquid trading pair and subsequently launch staking/bonding plus website in next 24 hours after that.

Friday 10/29, sometime between 6:30 and 7:58 AM EST — Beerus claims to have opened a malicious link from a PDF which exposes the private keys used for LBP launch. “AnubisDAO Liquidity Rug 1” wallet may have been compromised during this timeframe.

Friday 10/29 7:58 AM EST: “AnubisDAO Liquidity Rug 1” wallet pulls 13,556 liquidity from LBP about 4.5 hours prior to LBP completion. Unclear who controls the wallet at this point.

Friday 10/29 7:58 AM EST (6 seconds later): “AnubisDAO Liquidity Rug 1” transfers funds to “AnubisDAO Liquidity Rug 2”. Unclear who controls the wallet at this point. Rug 2 and Rug 1 wallets are derived from the same seed phrase.

Friday 10/29 8:00 AM: Working group realizes LBP was pulled.

Friday 10/29 8:06 AM: Beerus sends seed phrase for the LBP hot wallet to working group chat.

  • Sisyphus/others reach out to exchanges to blacklist relevant addresses over the next couple hours + running comms + damage control
  • Beerus’s Twitter is disabled after tweeting “XD”.

Friday 10/29 9:24 AM: “AnubisDAO Liquidity Rug 2” transfers funds to “AnubisDAO Liquidity Rug 3”

Security researchers provided the PDFs from phishing emails put out via Sendgrid throughout the day. At this point, none have found any malicious content contained in the PDFs.

Over the course of Friday, Beerus’s real-world information is collated from a large number of sources and partially released to the public online through several Twitter channels. HK law enforcement is initially contacted during the day on 10/29. There is no direct contact with Beerus between 11 AM EST and 8 PM EST.

Saturday 10/30 Morning EST: Beerus goes to HK police, files police report and turns over one PC unit (unclear if laptop or desktop)

Over the course of Saturday midday EST, several US law enforcement agencies (same group who resolved the recent Stablemagnet situation) are made aware of the attack/rug.

Saturday 10/30 11 AM — 12 PM EST: 13 ETH is sent to Tornado.cash from a wallet affiliated with the attacker/rug wallets (3 transactions for 1 ETH and 1 transaction for 10 ETH). 2 deposits are made into this wallet from Coinbase.

Saturday 10/30 2–3 PM EST: Several unusual transactions are made out of a wallet affiliated with the attacker/rug wallets (would note at this point the seed phrase was likely widely available):

Saturday 10/30 3:16 PM EST: The above wallet affiliated with “AnubisDAO Liquidity Rug #1” transfers ~1.74 ETH to a Coinbase deposit address

--

--

Sisyphus

Written by Sisyphus

31 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams