DeFi Detectives: Chef Nomi Investigation Notes

Last week I had a lot of fun with the latest blockchain investigation competition put together by folks at Anchain. The competition spanned two weeks and included a number of questions challenging players to dig through Ethereum blockchain transaction and smart contract data. In addition to many freely available tools, participants were also offered a free license of Anchain’s CISO blockchain analytics platform which made the analysis a lot easier.

Image for post
Image for post

In this writeup I will discuss blockchain analytics tools, techniques, and lessons learned while solving challenges. I will only focus on solving the last (and hardest) challenge investigating the infamous exit scam and the eventual return of funds by SushiSwap’s Chef Nomi back in September, 2020. My goal is to share the investigation steps so that you, the reader, would also be inspired to participate in future contests or may be even make this your future career. Check out my Blockchain Threat Intelligence newsletter for ideas on how to contribute to this field. If you would rather see the solution and investigation files, just scroll down to the report section of the article.

Here is the challenge question:

On September 5th Chef Nomi, the original creator of SushiSwap, cashed out around $14M from SushiSwap and gave it back on September 11th. Can you find what happened on CISO? List the accounts involved here: https://ciso.anchainai.com/eth/tx/0xa5179a870734faadbb7abe2cc2030436a870f9bda1f869b3f986d65cbfbe57b8

The investigation begins with the transaction above where 38,000 ETH are transferred between 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd and 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76 addresses:

Image for post
Image for post
AnChain CISO: 38,000 ETH transaction on September 11, 2020.

The exact transaction hash was referenced by Chef Nomi in his apology tweet on September 11th, 2020 where he implies that all of the withdrawn ETH was returned to the treasury account:

Image for post
Image for post
Twitter: Chef Nomi’s apology tweet

Lets figure out what these addresses are starting with 0xf942db (short for 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd). Etherscan labels this address as SushiSwap: Deployer. Indeed looking at its early transaction history it was used to deploy the SushiSwap: SUSHI Token contract on August 26th:

Image for post
Image for post
Etherscan: SushiSwap: SUSHI Token deployment

Chef Nomi was the only person who could have deployed that contract, so we can confidently associate 0xf942db address with him or her.

The 0xf73b31 (short for 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76) address is even more interesting since it is actually a Multi-Sig Wallet deployed by the very same 0xf942 address on September 3rd, 2020:

Image for post
Image for post
Etherscan: Multi-Sig contract deployment

Interesting! So Chef Nomi transferred 38,000 ETH from a known personal Ethereum account to a Multi-Sig wallet they have created in the first place. The beauty of Multi-Sig contracts is that it’s possible to query wallet owners to better understand who actually controls it. For this we can use Etherscan’s convenient contract read feature to enumerate owners:

Image for post
Image for post
Etherscan: Multi-Sig getOwners() output

Notice that Chef Nomi’s 0xf942db address is completely missing from this list above. In fact, Chef Nomi made a transaction to change ownership from 0xf942db to 0xd57581d9e42e9032e6f60422fa619b4a4574ba79. Once again, Etherscan is amazing at giving us a detailed transaction event log:

Image for post
Image for post
Etherscan: Multi-Sig change ownership transaction

Who is this 0xd57581? Searching for this address on social media, a curious exchange showed up between Chef Nomi’s twitter account @Nomichef and FTX Exchange CEO’s twitter account @SBF_Alameda:

Image for post
Image for post
Twitter: @SBF_Alameda publishing his Ethereum address

Based on the above exchange, FTX CEO has agreed to take over the SushiSwap project and published his Ethereum wallet address from the official twitter account as proof of ownership. Following the deposit, @SBF_Alamdeda (0xD57581) proceeds to deposit 5.57m SUSHI to the Multi-Sig contract (0xf73b31) that he just purchased on Uniswap:

Image for post
Image for post
Anchain CISO: @SBF_Alameda depositing 5.56M SUSHI into the Multi-Sig address

Shortly after, @SBF_Alameda proceeds to withdraw 38,000 ETH as a compensation. The exchange is illustrated in the transaction trace below:

Image for post
Image for post
Anchain CISO: @SBF_Alameda withdrawing 38,000 ETH

While the exchange implies that the 0xf73b31 plays an important role in the SushiSwap ecosystem, it is not clear exactly why it was chosen for these transactions. In order to understand this piece of the puzzle, let’s take a look at how the reward system works on SushiSwap.

In the Medium post (now deleted) announcing the SushiSwap project, Chef Nomi mentions a Project Sustainability/Dev fund:

Image for post
Image for post
Medium: Project Sustainability Fund

Looking at the project’s source code, I found the following line which implements reward logic in MasterChef.sol:

Image for post
Image for post
Github: SUSHI rewards to Dev fund

The address for the Dev fund is stored in the variable devaddr and is defined in the smart contract constructor at initialization time:

Image for post
Image for post
Github: Dev fund address initialization

According to the Medium article, the MasterChef contract was deployed at 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd. Let’s look at Etherscan to see what it was set to at contract deployment time by looking at the very first transaction:

Image for post
Image for post
Etherscan: MasterChef contract deployment transaction

The input data is unfortunately difficult to decipher; however, we can find constructor initialization data at the bottom of the input data blob:

Image for post
Image for post
Etherscan: Masterchef contract deployment payload

Each of the constructor variables is of size uint256 making it easy to split up into individual parameters:

Image for post
Image for post
Constructor Parameters

Conveniently these parameters match up with the source code giving us the parameter of the devaddr. It is explicitly set to Chef Nomi’s address:

Image for post
Image for post
Github: Masterchef.sol constructor variables

This allowed 0xf942db to collect 10% of all minted SUSHI which Chef Nomi eventually cashed out on September 5th, 2020. However, if we look at the current state of the variable, we will find a completely different address:

Image for post
Image for post
Etherscan: MasterChef contract devaddr variable

The address corresponds to the Multi-Sig wallet where Chef Nomi returned 38,000 ETH. The 0xf73b31 address is in-fact the new treasury account collecting 10% reward that @Nomichef mentioned in their tweet. There is only one function which can update the devaddr variable in the contract:

Image for post
Image for post
Github: MasterChef.sol function to update devaddr value

We can quickly locate the call to that function by scanning the function call activity provided by Bloxy.info:

Image for post
Image for post
Bloxy: Smart contract function calls

There was only one function call to the dev(address) function. Chef Nomi executed it on September 5, 2020, a few minutes after dumping SUSHI on Uniswap:

Image for post
Image for post

The call includes the new devaddr parameter 0xf73b31 which defines the new Treasury or Developer fund account.

At this point we can build a more complete report and timeline of all of the events from the initial creation of the SushiSwap project all the way to the event at and surrounding the September 11 transaction in the challenge:

SushiSwap Investigation Report

@Nomichef is an anonymous developer who has created SushiSwap DeFi contract on August 26, 2020. The contract included a developer account controlled by @Nomichef which collected 10% of all minted SUSHI tokens. On September 5, 2020, @Nomichef emptied ~$14M worth of SUSHI from the developer account and exchanged it for 38011 ETH on Uniswap. @Nomichef also set a new Multi-Sig contract as a new developer account to collect SUSHI rewards.

After the public outcry, @Nomichef has transferred 38,000 ETH to a previously created Multi-Sig contract which is now controlled by FTX Exchange’s CEO, @SBF_Alameda. @SBF_Alameda in turn deposited 5.57M SUSHI and withdrawn @Nomichef’s ETH as a compensation. The multi-sig developer account is one of the largest DeFi whale accounts worth ~$9B at the time of the analysis.

Blockchain Analysis

The following blockchain analysis graphs were produced using Anchain CISO to document transactions on Ethereum blockchain related to the case:

ETH Transactions:

Image for post
Image for post
https://ciso.anchainai.com/s/2uMjnnyuWFo

SUSHI Transactions:

Image for post
Image for post
https://ciso.anchainai.com/s/2uMjuzSjzBA

Events Timeline

  • 0x6b3595068778dd592e39a122f4f5a5cf09c90fe2Sushi Token contract
  • 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd — SushiSwap: MasterChef LP Staking Pool, also largest liquidity position on SushiSwap
  • 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd — @NomiChef account / SushiSwap: Deployer / Devshare account which gets 10% of every SUSHI distribution
  • 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76 — Contract: MultiSigWalletWithDailyLimit / New Devshare account
  • 0x80c5e6908368cb9db503ba968d7ec5a565bfb389 — Zapper.Fi Uniswap
  • 0xCE84867c3c02B05Dc570D0135103d3fb9cC19433 — Uniswap V2
  • 0xD57581D9e42E9032e6f60422fA619b4A4574Ba79 — @SBF_Alameda — FTX CEO

2020–08–26 12:28:07 PM UTC — @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd) deploys SUSHI Token contract (0x6B3595068778DD592e39A122f4f5a5cF09C90fE2)

https://etherscan.io/tx/0x5489c98aa634078471646e32a3a846c8d413f055ce10d06bd2260f4e71d1bc63

2020–08–26 01:00:51 PM UTC — @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd) deploys MasterChef LP Staking Pool (0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd). The constructor explicitly sets devaddr to f942dba4159cb61f8ad88ca4a83f5204e8f4a6bd:

https://etherscan.io/tx/0x3d68b0d8a94838af33070b8f00558e723f073b23772bd1760f1f4032e21e0fb3

2020–09–03 01:16:40 PM UTC — @Nomichef deploys Multi-sig wallet 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76

https://etherscan.io/tx/0x58b4873325c662a043b51f5c479a9cab263f7a4ce80517a0109a753d7ee7700f

2020–09–05 09:20:10 AM UTC — @Nomichef initiates a transaction to Zapper.Fi Uniswap (0x80c5e6908368cb9db503ba968d7ec5a565bfb389) contracts:.

In this transaction 5.0249m SUSHI are used to open up SUSHI-WETH liquidity pairs on Uniswap V2 (0xCE84867c3c02B05Dc570D0135103d3fb9cC19433) and Zapper.Fi (0x80C5e6908368CB9db503BA968D7ec5A565BfB389) platforms for the amount of 38860.1622 WETH total.

https://etherscan.io/tx/0xc97cac6a9457f73febfd93ca90dd4dfbe128ad1658c3e48d01ad3d92d3efd07e

2020–09–05 09:33:19 AM UTC — @Nomichef changes devshare account address from 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd to the Multi-Sig wallet 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76:

https://etherscan.io/tx/0xe7e811bdc697b6ba7794a3ec795797a6c88181116196256b98695f17d987ea11

2020–09–05 11:57:05 AM UTC — The pair was liquidated for the amount of 38011 ETH which was transferred back to @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd)

https://etherscan.io/tx/0x419a835b33eb03481e56a5f964c1c31017ab196cb7bb4390228cabcf50dfd6f1

2020–09–06 06:29:00 AM UTC — Agreement is reached to return funds to the multi-sig wallet and transfer control to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79):

https://twitter.com/sbf_alameda/status/1302501004118695936

2020–09–06 07:32:34 AM UTC — Multi-sig wallet owner is replaced from @Nomichef to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79).

https://etherscan.io/tx/0xe4fcf8aa90cc42355e2998561759f906ba5bbb50f2aeea161ebd167e3acc5609

2020–09–11 03:25 PM UTC — @Nomichef transfers 38k ETH back to the SUSHI multi-sig wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76)

https://etherscan.io/tx/0xa5179a870734faadbb7abe2cc2030436a870f9bda1f869b3f986d65cbfbe57b8

2020–09–11 03:31:00 PM UTC — @Nomichef makes an apology tweet and describes him transferring 38k ETH to a treasury multi-sig account.

https://twitter.com/NomiChef/status/1304442495342796800

2020–09–15 01:13:46 AM UTC — @SBF_Alameda begins accumulating 39699.94 ETH from Bittrex (0xfbb1b73c4f0bda4f67dca266ce6ef42f520fbb98) and another unknown exchange (0x964d9d1a532b5a5daeacbac71d46320de313ae9c) in a series of transactions:

https://etherscan.io/tx/0xcefbd6a9b03522d87915f75ed94c10ed2c87a8456a436ca3f323bf46473bce60

https://etherscan.io/tx/0x6db4e66cba8566721e10015c1aa3db0738e4ac373e817aebf7cf3dba3a1cf377

https://etherscan.io/tx/0x47bfcb08961f1a80dc58e48cc22e34eda0712f3a8cff76eb4be9583a456dcd3d

https://etherscan.io/tx/0xd2c2f5c070eeb3d1ebbe9897f5047ffc74ca9183ef94c826a36b0b0616d65936

2020–09–15 02:06 AM UTC — @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) finishes exchanging exchanging ETH to SUSHI on Uniswap. This is the last transaction in the series:

https://etherscan.io/tx/0xc901dea31fcc59a68fbbd9133f775836f3d59a2f0f6423835d949a215f099666

2020–09–15 02:15:46 AM UTC — 5.57m SUSHI are transferred from @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) to the multisig wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76)

https://etherscan.io/tx/0x8ff45efc77e5d81714f5a2e0a839c216112c2af6242041ef2d46cdf2fe8678f0
https://etherscan.io/tx/0x968de6f3f80b2af08d1c520d20d9c94019152cbac838aabf6c632da02ee0229f

2020–09–15 04:42 AM UTC — 38,000 ETH are transferred to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) from the multi-sig wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76) completing the exchange.

https://etherscan.io/tx/0x7ef94acf19eaff3517e0675db1d6694b7567e79090cb1192f20ad0ee7892078d

https://etherscan.io/tx/0x7d3ab2ea9a4578f9ff08b90a73ec3d262cc6f3a6fc39bf6bd1e7c20e39c1eeb1

https://etherscan.io/tx/0xcbd16d06238b136390b1d914c3defddf378de59bf15906833d8fc25ccbc2f951

2020–09–15 05:50 AM UTC — 39200k ETH are transferred from @SBF_Alameda to 0x9f9643c8b413b32c3a1270068487f341e5be8bfd in a series of transactions of the form (4000 ETH, 4010 ETH, 4020 ETH … 4080 ETH, 2870 ETH). Sample transaction in the series

https://etherscan.io/tx/0xd2f19e24961802ff29792e978844691f67e9c37173539cf86d204b68a9e91885

2020–09–21 06:10:03 AM UTC — 1,000,000 SUSHI are transferred from the Multi-sig treasury account to @SBF_Alameda.

https://etherscan.io/tx/0xe5a08db5e46cff54ac0bc15e5c307bc68daba03c1edd17e7cb4b4044d79ac435

Written by

Cryptocurrency, Malware Analysis, Incident Response, Pentesting, BlockThreat.net

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store