A little investigation into the Ethereum network attack of August 2018

Total gas price has been pumped up. Source:https://ethgasstation.info/

First steps: untangling the web

A visualization of just a chunk of addresses involved in spamming of the Ethereum network, which I prepared with pygraphistry. See the text.
Zoomed-in blob around the smart contract Oxdd9f… . Every individual point is a unique address calling the smart contract.

In what follows, I’m considering the top contract by gas use and the data between ‘2018–08–06 13:21:20’ and ‘2018–08–07 13:56:12’ UTC (that is, between blocks 6098849 and 6104856, which covers about 20k contract calls of 0xdd9f…). The number of unique addresses calling this contract is 18841, which amounts to over 90% of addresses. The maximum number of times a unique address calls that contract is 5. The value in nearly all TXs is 0.02ETH. The incredibly high number of one-time calls (>17k) within 24h is what makes it highly coordinated and automatic, hence we are likely talking about bots here.

  • The 0xdd9f.. contract has been created by an EOA address 0xEAe69cADEB04E66767bD69f52e0fFFc28E37d799 with little over 2 ETH on it about 2 days ago. It is likely a new wallet, as its first transaction started right before the contract creation, and got transfered 3 ETH from EOA 0x8cC33572319f541039BC0Bf3146545e3B66B8bbF. The latter address is a bit older and was also “started” (topped up the first time) with another transaction of 3ETH about 18 days ago, so this seems to be a pattern. That address also gets incoming big and regular chunks of ETH (1000, 3000) and spreads them out in smaller chunks (green cloud).
  • The 0x8cc… address has been charged first by 0x6f20849520ddd9D804098d80eFA286E39B0d2608 and this is an interesting one (violet cloud). It has lots of incoming transactions that are irregular in amount but very regular in time. It started 52 days ago by a flux of ETH, anywhere between 1–100ETH in a few TX per hour from distinct addresses. The money has been flowing in pretty much non-stop until 48 days ago.
  • After a month of a break, address 0x6f2… sent out very round numbers to (7*3000ETH, 1000ETH, 2000ETH) to the 0x8cC33572319f541039BC0Bf3146545e3B66B8bbF mentioned above over 10 days, 2 weeks ago.
  • One of the smaller chunks of the EOA 0x8cC…. leads to 0x5251AAA6f9a56A9Ed22cC33A255b861Ff50FB527 (the link to the salmon-orange cloud). This wallet has 2 Txs only, both from the last 24h: incoming of 100 ETH, outgoing of 99.99298 ETH. Clearly, it is an intermediate wallet and meant for just a step in the gig. The destination of the outgoing money, 0x60d0cC2aE15859f69bF74DADb8AE3Bd58434976b, has a balance of almost 14000ETH and within the time of writing this paragraph it dropped to 11.5 thousand, as it is actively shuffling money around (salmon cloud). However, it is this address that gives us a lead about the attacker.
etherscan.io

But before we get there, let’s have a look at the additional addresses involved in the network and their statistics.

https://bloxy.info/address_stat/0x60d0cc2ae15859f69bf74dadb8ae3bd58434976b

We can trace it back to a multisignature wallet used to deposit funds throuh this channel about 105 times. The wallet itself is interesting as well, as it has a very long list of addresses transfering funds to it.

… and the list goes on. Source: https://bloxy.info/address_stat/0x60d0cc2ae15859f69bf74dadb8ae3bd58434976b
Just a tiny piece of the puzzle. Graph for 0x242aa8c63aab36df59ce19aaccd020fe4114c349 generated with https://bloxy.info/graphs/0x242aa8c63aab36df59ce19aaccd020fe4114c349

Dissecting the smart contract

This gives us merely a feeling of how complicated untangling the web is going to be. As the next step, Dr. Sebastian Bürgel extracted a number of hard-coded addresses from the most active smart contract’s bytecode [1][2][3][4][5][6][7], which lead us to what appears to be a “master contract”, executed by EOA 0x47169f78750be1e6ec2deb2974458ac4f8751714.

0x5d5769237c6abb34de80a4a26f953612e2efc4d7

Its structure is nearly identical to the one in the Fomo3D exploit described here in their Figure 4: 3 transfers between smart contracts, trifurcation of funds, smart contract creation and self-destruction. Self-destruction was a key in that exploit, as it allowed to bypass a certain check ran by the code and, long story short, collect rewards from the game.

A tenuous lead on the exploiter

Last but not least, I researched whether one of the spam-related addresses pops up on google in any other context. I came accross 0x60d0cC2aE15859f69bF74DADb8AE3Bd58434976b in a reddit post How can I find out what the balance of an address was on a specific date?

Could be a coincidence and this address could have been used randomly as an example (though this address is in no way special and there are only 5 pages of hits about it web-wide, all of them pointing to block explorers). The user engaged in many other discussions on reddit, including one from 2 weeks ago about “What is the current ETH transaction per seconds”, which demonstrates the user’s understanding and interest in the network capacity. The choice of an example of spreading funds over 100 addresses is also odd.

Could this be a copy-paste of their own address from the command line? Let Jim McDonald speak for themselves (a medium user whom I linked to this reddit account). EDIT: Jim responded to this article, saying “Sorry, not me”.

Conclusions

Seems that the network overload is the result of a contract exploit similar to the Fomo3D smart contract loophole, by which a user could increase the odds of winning and collect airdrop rewards. The bot-style function calls have the same names (e.g. withdraw(), buyXid() etc.) but we couldn’t verify on etherscan that the smart contract has the exact same source code as Fomo3D.

The implications of this incident for the Ethereum network are clear — occupying the network and increasing the gas price by at times a factor of 100 discourages people from using it.

The number of transactions on Ethereum network has been going down. Source: etherscan.io

Besides, it is a pretty sophisticated example of obfuscation mastery, which we certainly can expect to happen more frequently as users become more proficient in exploiting code vulnerabilities on the Ethereum network.

We’ll continue with the more comprehensive analysis in the next post.

— — —

Validity Labs will evaluate risks based on historic data analysis and investigate information about the fraudulent or suspicious entities. analytics@validitylabs.org