search

safe-global / safe-user-allocation-reports

The proposed list of SAFE user allocations has been published on the Safe forum.
Creative Commons Zero v1.0 Universal
35 stars 10 forks source link

The same person created 32 addresses, and has a complete money flow trend #186

Closed STephcuYY closed 2 years ago

STephcuYY commented 2 years ago

Related Safe Addresses

0x1CE0464eA8475F9572aBA9DC1DDDe443A5e67FEF 0x98F4F575e25099Eb5fC497bE1085937D6448bae2 0x194C37dA00e5e15e32bAe63CBf8A933A1bB5BE74 0xa735bA9D295Cf69f886212D4090Fec8449dC63C4 0xda4da91e7addb6E3f0BC92a14eEbEa2be7A130A0 0xCB6AD9b39664cAC5eb03a7abDc80dBB66D261F9d 0x1B794d0F807DAe8a0074026a7A4967b3DA41C0D8 0x9c5478239bFCfCF4C68C490c4c8ea1472e9e86D5 0x7A159cE62D0298a4692ceaee2105DC3DdfDD71f2 0x00b3f05385b95271304228DF9A8B01Bdd1931970 0xa24dB79df4260DCC29e0e65Daf811D676B54b1D1 0xdEdb464bC423102EF900697a8115827B4445C4ba 0x87aF50A984c3B0a0fD264E9a74f13A6bBddDf322 0xD2F318A8a6146c2e25c00D74cF6c68cf97aCf979 0x126ba0Af3edD2CBeD6DC6b762d5D74F680e35501 0xa01b7C53a5D4BEcFDFA82406D86049a37F5A39b4 0x059e2bce4469f1F2Ef7B19e21C03B0107B031C5e 0x48DBb50B885AB0039D5C2347e763E7F989Cd3d53 0x820cb22C8a11e4FEcbD02160eded836E906B05a7 0x1603Ca7d554bB4D242Af5129aaf481c9d8D89E78 0x147de5c4c6b512923b891918dd277d5f518d0f79 0xe34bbc8f17eef9f06e4b27c6fdd89ff8f2aa40e3 0xA78B7680647bd2Ed8d71f627135aaD8C01e0325d 0x12aced1ebeaf2cded558c2a5577ba4e64ae29b9a 0xCE3a369E5E6a5791621E08bd6611a315A93493bE 0x40fFD6a338F6af4dd11F26CE4db80c631fC31E15 0x6399231F161fCd3FA2e568AA2F5A2fF54a188A65 0xE241A76215bA680419DFB201144B3d9134aa96BE 0xC90957f6f596541DA11e9C519fAF070B9035724A 0x44f2E32896c584cBE59646Fed639dc28EB8152df 0x094140D0db405eaf22606dd4F963A90D1cB40240 0x103dcFEfF9a63862475c4c0eb14cbcA33921AF05

Reasoning

all the 32 addresses created by 0xc01c1eb06C3C45917D994aCc91B0a984e1E1C4A4 he created every safe address and used it limited times.

For example: https://etherscan.io/address/0x1ce0464ea8475f9572aba9dc1ddde443a5e67fef He created it and just used only once and never used it anymore.

1

He repeated this behavior 33 times from 2021.5.27 to 2021.8.23

2

Moreover, his money flow is so clear

He got 2.91 eth from Binance 14 https://etherscan.io/tx/0xfc706f06ee3c950a261b0a77b789ee1ec2e9caadfbe5f4dbd7d4defb1fe052c5 3

At 2021.10.21 18:06, he gathered the remaining funds and send 2.05 eth to 0xe869d6d5b37F4F3ddcF5816E3947e150b6d76C72 https://etherscan.io/tx/0x78ee6686c022f35f7bb4a8729d18aa587b364d8eb873cdfbe068ee4147e18525 4

then withdrawed 2.05eth to HitBTC 3 https://etherscan.io/address/0xe869d6d5b37f4f3ddcf5816e3947e150b6d76c72 5

This is a clear case of airdrop farmer. Withdrawing funds from BN, after three months of interaction, each safe address has only limited interaction. The funds are deposited for two months until 2021.10 and then the remaining funds are withdrawn to HitBTC. This is not any deployer and is a completely private airdrop farm behavior.

Methodology

Firstly with target as ( select from url('httpsraw.githubusercontent.comsafe-globalsafe-user-allocation-reportsmainsafe_user_allocations_reworked.csv', CSVWithNames) ), transactions as ( select t1. from ethereum.transactions t1 join target t2 on t1.to_address = t2.safe_address )

select distinct to_address from transactions where from_address = lower('0xc01c1eb06c3c45917d994acc91b0a984e1e1c4a4')

Then I found the address was so scared that I decide to check out his specific behavior. Through some basic behavioral analysis, I determined that he was an airdrop farmer.

Safe Address

0xA61B43b55193670579d959c94a6b0303Ecd12201

tschubotz commented 2 years ago

Reasoning

all the 32 addresses created by 0xc01c1eb06C3C45917D994aCc91B0a984e1E1C4A4 he created every safe address and used it limited times.

This is super vague. What does "limited times" mean. I checked the Safes. they all make some USDT trasnfers - how does this relate to the airdrop farming.

Please elaborate. This report is no meeting the quality standards.

lukasschor commented 2 years ago

We haven't received any further information on this ticket and therefore deemed this submission invalid.

Unfortunately just the pure fact that Safes...

... is not enough reasoning for a valid submission, as there are legit user behaviour leading to such as well (relayer, scripts, power users, exchanges)

This submission didn't provide sufficient indicators to convince the team that there is some targeted airdrop farming behind the provided addresses. As per the rules, when in doubt we will default in favor of the airdrop recipients in order to not risk any false positives when sorting out airdrop hunters.