Sentinel Protocol
Published in

Sentinel Protocol

Part 1 — Luna and UST collapse: Debunking the LUNAtic conspiracy

Part 2? 👉 https://bit.ly/3OPoYif

At Uppsala Security, our goal is to help the blockchain and Web 3.0 ecosystem become a safer place to navigate. With the on-chain analytics technology and incident response know-how that we have developed over the years, we find it our duty to help our customers and those affected by incidents involving digital assets, and the Terra-Luna incident was no exception.

The on-chain analysis is intended to provide logical information to identify clues to a case, and to help the law enforcement and regulatory agencies find more leads and evidence to solve a case with the cooperation of Virtual Asset Service Providers (VASPs). The community’s contributions can further help with such investigation, and we encourage everyone to share their expertise and more relevant information.

We believe in on-chain data rather than conspiracy theories. We aim to provide the facts and evidence that can lead to uncovering the truth. We sincerely hope that our small effort can bring more clarity and some peace of mind to all of those affected by this incident.

Executive Summary

In this two-part series report, we will address the following key observations revealed via our on-chain forensic investigation:

  1. Part I: Uncovering the mysterious “Wallet A”. Series of on-chain data unveiled evidence that points to the fact that “Wallet A,” the key account that has been highlighted as the main culprit of the Terra-Luna implosion, may in fact be owned or controlled by Terraform Labs (TFL) or Luna Foundation Guard (LFG) themselves, or their related parties.
  2. Part II: Tracing TFL/LFG’s Flow of Funds from UST to MIM to USDT. Since November 2021, TFL-controlled wallets have been swapping billions of dollars worth of TerraUSD (UST) into Magic Internet Money (MIM) and subsequently into Tether (USDT). USDT created in this manner has been transferred to various exchange accounts, some of which are deemed to be owned or controlled by TFL or LFG, and to crypto trading firms. While the final use of funds within the exchanges/crypto trading firms is unclear without direct access to the exchanges’ user data, we identified potential leads for further investigation.

Through this investigation, we have identified the following important wallets of interest:

  1. “Wallet A”: 0x8d47f08ebc5554504742f547eb721a43d4947d0a
  2. “Wallet A(T)”: terra1yl8l5dzz4jhnzzh6jxq6pdezd2z4qgmgrdt82k
  3. Binance user account Memo: 104721486 (terra1ncjg4a59x2pgvqy9qjyqprlj8lrwshm0wleht5)
  4. Binance user account Memo: 100055002
    (terra1ncjg4a59x2pgvqy9qjyqprlj8lrwshm0wleht5)
  5. “Depositors”: terra13s4gwzxv6dycfctvddfuy6r3zm7d6zklynzzj5 (OKX hot wallet), terra1t0an4m6t47rp3mj57rdfzw6dpd3lw8erxjppgw
  6. “Interchange Wallet A”: 0xa046a8660e66d178ee07ec97c585eeb6aa18c26c
  7. “Exchange Wallet A”: 0x21ec2dbb3bfd2210a84bbc924466a70becddd572

We will examine the actions taken by these wallets until the day of the Terra-Luna implosion, as well as the connection between these addresses, and their linkage to TFL/LFG-controlled wallets, based on on-chain data.

Part I: Uncovering the mysterious “Wallet A”

From 2022–05–07 to 2022–05–09, a sequence of events involving Curve pools maintaining UST’s peg to other stablecoins triggered the de-pegging of UST. Below two transactions in particular, are widely viewed as the first two critical transactions that triggered the de-pegging of UST:

  • At 2022–05–07 21:44 UTC, a wallet associated with TFL removed approximately 150m of UST liquidity from Curve pool.
  • At 2022–05–07 21:57 UTC, wallet:0x8d47f0 (“Wallet A”) swapped approximately 85m of UST for USD Coin (USDC) in this Curve pool, and subsequently transferred this USDC to a Coinbase user wallet:0xc2531a (see Figure 1).
Figure 1: 85m USDC goes to Coinbase user wallet (Source: Uppsala Crypto Analysis Transaction Visualization (CATV) tool)

With all the swapped USDC transferred into Coinbase, it becomes challenging to uncover further information about Wallet A and their subsequent activities without retrieving user information from Coinbase directly.

Thus, we traced Wallet A’s source of funds, and observed that Wallet A on Ethereum mainnet received all of its funds from the Terra mainnet via the Wormhole. The related wallet on the Terra mainnet side was identified as: “terra1yl” (“Wallet A(T)”).

Looking at the transaction history, we observed that Wallet A(T) has been depositing UST into a specific Binance user account linked to a specific destination Memo: 104721486 (Memo is a unique identifier used by Cosmos-based mainnets, such as Terra. Exchanges like Binance assign Memo to each user account to identify and deposit tokens to the specific user account).

Memo: 104721486 started receiving UST on 2022–01–05, and through 36 incoming transactions had received a total amount of 123,597,800 UST from a handful of depositors until 2022–05–25. Below are some key observations (see Table 1):

  • Wallet A(T), or “terra1yl”, has been the biggest depositor of UST into Memo: 104721486 having deposited a total amount of 118,301,352 UST, making up the vast majority of the total UST received by Memo 104721486 (as highlighted in Table 1).
  • Wallet A(T) deposited a total amount of 108,251,326 UST into Memo: 104721486 on 2022–05–07 alone, the day when the de-pegging of UST began. Total of 10 incoming transactions were made into Memo: 104721486 leading up to 2022–05–07 21:44 UTC, when TFL first removed 150m of UST liquidity from Curve pool, which raises the possibility that Wallet A(T) and Memo: 104721486 may have been aware of the upcoming UST liquidity removal.
  • There are three unique senders: “terra13s”,” terra1fr” and “terra1t0” who first initiated UST deposits into Memo: 104721486 and sent small amounts of UST on 2022–01–05, all on the same day. These small deposits appear to be test deposits; a typical behavior that is often performed by users to test a new exchange account that is being used for the first time.
  • The same Memo number, the same token (UST), the same day (2022–01–05) timing of the deposits, and the similar behavior of test deposits observed within a close <1-hour window indicate that the three unique senders may be a highly connected person to the owner of Memo: 104721486.

Table 1: UST Transactions History of Binance Deposit Wallet Memo: “104721486”

  • “terra13s,” which made the first ever UST deposit to Memo: 104721486, is a hot wallet of the OKX exchange. Public Tweet show LUNC DAO as one of the users of “terra13s” (see Figure 2), but exchange’s help is needed to identify the actual user behind each transactions made out of “terra13s” (OKX hot wallet).
Figure 2: LUNC DAO Tweet from 2022–06–03 (Source Link : https://twitter.com/LUNCDAO/status/1532509258318848000)
  • Taking a deeper look into “terra13s” (OKX hot wallet) and its historical flow of funds, it can be observed that it had sent 19.08m LUNA to another wallet: “terra17p” (see Figure 3).
Figure 3: “terra13s”(OKX hot wallet) transfers 19.08m LUNA to “terra17p” (Source: Bitquery)
  • “terra17p” on the other hand, had transacted 100m LUNA in total with “terra1gr” (see Figure 4), which as per Terra’s Tweet is identified as LFG’s wallet (see Figures 5); thus creating a connecting link between “terra13s” (OKX hot wallet), “terra17p” and “terra1gr” (LFG’s wallet).
Figure 4: “terra17p” transfers 100m LUNA to “terra1gr” (LFG’s wallet) (Source: Bitquery)
Figure 5: Terra’s official Tweet revealing “terra1gr” as LFG’s wallet (Source Link : https://twitter.com/terra_money/status/1529451642931752961?lang=en)

Further deep dives into the activities of the depositors of Memo: 104721486 revealed another Binance user account Memo of interest, Memo: 100055002. Memo: 100055002 started receiving UST from 2021–10–08, and through 226 incoming transactions had received a total amount of 2,665,579,215 UST until 2022–05–03. Following are the key observations (see Tables 2 & 3):

  • The first wallet that deposited funds into Memo 100055002 was “terra13s” (OKX hot wallet), the same wallet that first deposited funds into Memo: 104721486.
  • “terra1t0,” which was the third depositor of funds into Memo: 104721486, also appears in Memo: 100055002 as the second unique depositor.
  • “terra17p,” which transacted significant amounts of LUNA with both “terra13s” (OKX hot wallet) and “terra1gr” (LFG’s wallet) (as seen in Figures 3 & 4), appear as a significant depositor of UST into Memo: 100055002 (as highlighted in Table 2).

Table 2: UST Transactions History of Binance Deposit Wallet Memo: 100055002

  • Similar to the behavior that was observed in Memo: 104721486, what appears to be a test transfer amount (in this case 10 UST) is sent first by both “terra13s” (OKX hot wallet) and “terra1t0” prior to larger sums being transferred thereafter (see Table 3).
  • Similar to the initial transactions observed in Memo: 104721486, transfers initiated by “terra13s” (OKX hot wallet) and “terra1t0” into Memo: 100055002 both occur on the same day (in this case 2021–10–08), within <1-hour window (see Table 3).

Table 3: Behavior analysis between Binance user account Memo: 104721486 and 100055002

First five transactions of Memo : 104721486 (Wallet A’s main deposit wallet on Binance)

First four transactions of Memo : 100055002

UPDATE (July 4): After the initial publication of “Part 1: Luna and UST collapse: Debunking the LUNAtic conspiracy,” there were community claims stating that “terra13s” belongs to the KuCoin exchange. KuCoin confirmed that “terra13s” is not their hot wallet address.

More recent leads from the community stated that “terra13s” is a hot wallet of OKX exchange, and we were able to confirm that this is the case. Thanks to this additional information, the community and investigating authorities now have more leads for further investigation. Such community involvement is exactly the ethos behind Sentinel Protocol, our crowdsourced Threat Intelligence Platform powered by AI/ML and blockchain technology.

Nothing changes about the on-chain data that show the flow of funds and the deposit patterns that involves “terra13s” (OKX hot wallet) and other addresses that have linkages to TFL or LFG.

We thank the community and KuCoin exchange for their contributions thus far. To get to the actual truth, we need continued assistance from the community and more exchanges. Only through such collaboration can we all make better sense of what has happened and prevent similar incidents from reoccurring in the future.

Conclusion

We addressed the following:

  1. Binance user account Memo: 104721486 and Memo: 100055002, received significant amounts of UST (123,597,800 UST and 2,665,579,215 UST in total respectively) until May 2022.
  2. “terra13s” (OKX hot wallet) and “terra1t0” appear as the first and early depositors of both Memo: 104721486 and Memo: 100055002.
  3. “terra13s” (OKX hot wallet) transacted significant amounts of LUNA with “terra17p,” who in turn transacted significant amounts of LUNA with “terra1gr” (LFG’s wallet).
  4. “terra17p” deposited significant amounts of UST into Memo: 100055002 directly, acting as a link between “terra1gr” (LFG’s wallet) and Memo: 100055002.
  5. Wallet A(T) deposited 108,251,326 UST into Memo: 104721486 on 2022–05–07 from 04:57 UTC to 21:40 UTC, just minutes before TFL removed 150m of UST liquidity from Curve pool.

We further summarize our findings in Figure 6 below. These observations demonstrate a close linkage between the mentioned accounts, including Wallet A (“the main Terra-Luna culprit”) and LFG’s wallet, raising a possibility that some or all of these accounts may be directly or indirectly controlled by the same or related entities, such as TFL or LFG.

Figure 6: Overview of Wallet A and TFL/LFG-linked wallets’ activity on Terra mainnet (Source: Uppsala Security Crypto Incident Response Center (CIRC))

About Uppsala Security

Uppsala Security built Sentinel Protocol, the first crowdsourced Threat Intelligence Platform powered by artificial intelligence, blockchain technology, and machine learning. Supporting the framework is a team of experienced cyber security professionals who have developed an award-winning suite of advanced tools and services for Crypto AML/CFT, Transaction Risk Management (KYC/KYT), Transaction Tracking, Regulatory Compliance, and Cybersecurity enabling organizations of every type and size to protect their crypto assets from malicious attacks and scams while meeting stringent regulatory compliance standards. Today Uppsala Security has over two thousand (2K+) users including government agencies, financial institutions and leading enterprises providing crypto exchanges, payment services, wallets, custodial services, gaming, and FinTech solutions.

Uppsala Security is headquartered in Singapore, and has branch offices in Seoul, South Korea and Tokyo, Japan. You can follow Uppsala Security on Telegram,LinkedIn, Twitter, Facebook and Medium.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sentinel Protocol Team

Sentinel Protocol Team

Operating on blockchain technology, Sentinel Protocol harnesses collective cyber security intelligence to protect crypto assets against hackers, scams and fraud