search

forta-network / starter-kits

MIT License
62 stars 37 forks source link

FN Suspicious funding detector #658

Open Ivan1905 opened 3 weeks ago

Ivan1905 commented 3 weeks ago

Hi there,

Attaching a few examples.

Case 1: Attacker was: https://bscscan.com/txs?a=0xb6911DEE6a5b1c65Ad1aC11A99AeC09C2Cf83c0e which was funded by: https://bscscan.com/txs?a=0x06b8cc57c7156875385085d6a6bd59db87d9c72a&p=2 - which was funded by changenow. Suspicious Funding Detector did not fire.

Case 2: attacker was: https://bscscan.com/txs?a=0x6951EB8a4A1DAb360F2230Fb654551335d560ec0 which was funded by: https://bscscan.com/address/0xc35a04a5dce3d31649e97159f53247fb9e1c3bd7#internaltx which was funded by TC. Suspicious Funding Detector did not fire.

Case 3: Attacker was: https://etherscan.io/address/0xFcd4ACBc55DF53fBc4C9D275e3495B490635f113 which was funded by: https://etherscan.io/address/0xc9037673e12e9f240f1015f7e57611489dc4f5bc which was funded by tc. Suspicious Funding Detector did not fire.

Vxatz commented 3 weeks ago

The issue here was the that the bot contains a max value threshold (the reasoning being that an attacker wouldn't need to much funds transferred in order to execute an attack) and in these cases it was exceeded.

The threshold on each chain were the following:

{
  1: 0.07,
  10: 0.07,
  56: 0.5,
  137: 190,
  250: 400,
  42161: 0.07,
  43114: 4,
};

and after discussing with @salort-forta, we decided to 20x the ETH values (bringing them to around $5000) and then updating the rest of the chains threshold to also be around $5000 at the time of the update.

{
  1: 1.4,
  10: 1.4,
  56: 9,
  137: 8300,
  250: 8000,
  42161: 1.4,
  43114: 160,
}

The updated bot has been deployed.

Ivan1905 commented 2 weeks ago

@Vxatz could you confirm that we did have the same issue here? Attacker: https://etherscan.io/address/0xfcd4acbc55df53fbc4c9d275e3495b490635f113 Funded by: https://etherscan.io/address/0xc9037673e12e9f240f1015f7e57611489dc4f5bc This last address was funded by TC.

Vxatz commented 2 weeks ago

@Ivan1905, yes it's the same issue. The account was funded with 1 ETH and our max value threshold was 0.07 ETH (It's now 1.4 ETH)

Ivan1905 commented 1 week ago

@Vxatz could you confirm we have the same case here? This attacker: https://bscscan.com/txs?a=0xb6911dee6a5b1c65ad1ac11a99aec09c2cf83c0e&p=3 was funded by: https://bscscan.com/address/0x06b8cc57c7156875385085d6a6bd59db87d9c72a Which was funded by ChangeNow

Vxatz commented 1 week ago

Hi @Ivan1905, this case is different, we didn't get an alert for the funding tx of the attacker because we don't monitor ChangeNOW in the hops bot (I think the decision was made because ChangeNOW is frequently used as a legit funding source)

Ivan1905 commented 1 week ago

Hi @Vxatz this seems to be the same case, right?

https://bscscan.com/tx/0xefe58a14fc0022872262678b358aaae64a26fe2389d09093eb14752ea99415e9

Attacker seems to be funded by another address which was funded by Changenow

Vxatz commented 1 week ago

That's right.