Airdrop Hunter Suspicion Report

[deshawelafi]

Related Safe Addresses

GROUP1

0x010c34da4df35ed456d1210090222f18167381e3  
0x048483ab1f2915671ff40558ade54bef33df407d 
0x083dff1952e256d6fade121358bea5b293ca9d25  
0x0763f9e49275ace90464e28185c678b4ca20f071

0x0423a75e184a91f330866fc2caddce5b07dc6290
0x0226cfa832e140548f321bbf55addbe0b118edfe 
0x04c305e8ef8d02675b5a94d8ce40097c9b9839a7
0x0804e26fa8301fb53a117b76fea2468d7beb4c0c  
0x07cc69589e3a6eb02ce1a81cf9c7fccef1c8a647
0x0ba2f6906dbe176c00edf4f16c70e48e4d056609 
0x0a2dcbb512ee83c57613b8b845063093d69952cf  

GROUP2

0x005699ff2f1853b7ff9bbba51298e55b583b5ac0
0x00e10186bf1e23e65d58ccd4393e517279068de1
0x03882a98090de9f6337a149f62d1627eb8321bd8
0x04e35228541d895cdd6383e9ce3bd2f5dc2b028d
0x0ac7d3f641ff2d6fb5445c2d268ec16be3e1851a
0x0a4f9b36dec170275c1d33d13607b156b11bddad

Reasoning

GROUP1:

1. all created by 0x7421ee752e6da4f74ce5fa7f2887a4c995f13613
2. all transactions paid for gas via 0x7421ee752e6da4f74ce5fa7f2887a4c995f13613
3. 11 address addresses are divided into two behaviors, the first 4 accounts contain only small amounts of COMP and cUSDC (mostly worth less than $1). The second 7 accounts have no token and only 1-3 transactions, all of which are Removed and add Owner. Since there are no other transactions, it can be considered as a meaningless act of airdrop hunter. 0x010c34da4df35ed456d1210090222f18167381e3 0.007COMP 0.059 cUSDC 0x048483ab1f2915671ff40558ade54bef33df407d 0.05 COMP 874 cUSDC($19) 0x083dff1952e256d6fade121358bea5b293ca9d25 0.084 COMP 2.2 USDC 0x0763f9e49275ace90464e28185c678b4ca20f071 0.0072COMP 0.36cUSDC 0x0423a75e184a91f330866fc2caddce5b07dc6290 0 token Removed and add Owner 0x0226cfa832e140548f321bbf55addbe0b118edfe 0 token Removed and add Owner 0x04c305e8ef8d02675b5a94d8ce40097c9b9839a7 0 token Removed and add Owner 0x0804e26fa8301fb53a117b76fea2468d7beb4c0c 0 token Removed and add Owner 0x07cc69589e3a6eb02ce1a81cf9c7fccef1c8a647 0 token Removed and add Owner 0x0ba2f6906dbe176c00edf4f16c70e48e4d056609 0 token Removed and add Owner 0x0a2dcbb512ee83c57613b8b845063093d69952cf 0 token Removed and add Owner

GROUP2:

1. all created by 0xb211d379aac002e7b575a95496dd390719a60352
2. all transactions paid for gas via 0xb211d379aac002e7b575a95496dd390719a60352
3. All addresses within one hour (Aug-16-2022 06:00:17 PM +UTC) - (Aug-16-2022 07:00:53 PM +UTC) have made three transactions with the same behavior 3.1. aprrove and burn NFT 3.2. GET Icosa (ICSA) [ERC-20] 3.3.Stake ICSA

Methodology

I analyzed the contract call wallet for the first transaction of all the safes using python via api.etherscan.io. Note: list1 is the address to get the airdrop.

for item in list1:
                item = str(item).replace('\n', '')
                print(item, i)

                api = 'https://api.etherscan.io/api?module=account&action=txlist&address=%s&startblock=0&endblock=99999999&page=1&sort=desc&apikey=' % item
                r = requests.get(api)
                if r.json()['status'] == "1":
                    index_item = r.json()['result'][-1]
                    addr = index_item['from']+','+ index_item['to']+','+ index_item['hash']
                    print(addr)
                    alladdr.add(addr)

                else:
                    print(r.json())
                i = i+1
                if (i % 10) == 0:
                    with open('docs/create_list'+str(name)+'--.txt', 'w', encoding='utf8') as fw:
                        fw.write(str(alladdr))

Safe Address

0x4B605c1ac2Fd74b5d6B619940B6fF9fe1C4ca83a

[tschubotz]

Safe Address

0x8A53e15783D003F93ED1dD376EA157b8E304d35A

That's not an address of a Safe. Please provide an address of a Gnosis Safe.

[MisakaCenter]

More detailed&earlier investigation into GROUP1, please see #18

[deshawelafi]

Safe Address

0x8A53e15783D003F93ED1dD376EA157b8E304d35A

That's not an address of a Safe. Please provide an address of a Gnosis Safe.

Sorry, it was my mistake.

The current address is a safe address : 0x4B605c1ac2Fd74b5d6B619940B6fF9fe1C4ca83a.

[tschubotz]

Thanks, we found the following Safes:

Reasoning GROUP1:

all created by 0x7421ee752e6da4f74ce5fa7f2887a4c995f13613 all transactions paid for gas via 0x7421ee752e6da4f74ce5fa7f2887a4c995f13613 11 address addresses are divided into two behaviors, the first 4 accounts contain only small amounts of COMP and cUSDC (mostly worth less than $1). The second 7 accounts have no token and only 1-3 transactions, all of which are Removed and add Owner. Since there are no other transactions, it can be considered as a meaningless act of airdrop hunter.

You list also contains account that did more, e.g. https://gnosis-safe.io/app/eth:0x048483ab1f2915671ff40558ade54bef33df407d/transactions/history.

It's unclear how you can be sure this is not legit usage. 0x7421ee752e6da4f74ce5fa7f2887a4c995f13613 is a relayer, so that doesn't provide anything.

Regarding group 2, thank for the report, we've found the following addresses to be related to airdrop farming:

0x005699ff2f1853b7ff9bbba51298e55b583b5ac0
0x00e10186bf1e23e65d58ccd4393e517279068de1
0x03882a98090de9f6337a149f62d1627eb8321bd8
0x04e35228541d895cdd6383e9ce3bd2f5dc2b028d
0x0ac7d3f641ff2d6fb5445c2d268ec16be3e1851a
0x0a4f9b36dec170275c1d33d13607b156b11bddad

Moved from #411 which seems to be a copycat.

[MisakaCenter]

@tschubotz my report is far earlier than this one and this report is only a subset of my report, please check #18 again. And please check the edit time. This report added the detailed proof far later than mine.

[deshawelafi]

@tschubotz my report is far earlier than this one and this report is only a subset of my report, please check #18 again. And please check the edit time. This report added the detailed proof far later than mine.

Hello Misaka

First, I have not confirmed that GROUP1 is related to airdrop farming. Second, 0x7421ee752e6da4f74ce5fa7f2887a4c995f13613 is a relayer.