search

safe-global / safe-user-allocation-reports

The proposed list of SAFE user allocations has been published on the Safe forum.
Creative Commons Zero v1.0 Universal
34 stars 10 forks source link

Sybil Attacker Report #360

Closed deshawelafi closed 2 years ago

deshawelafi commented 2 years ago

Related Safe Addresses

0xd97accbd8cffd6bf612e3ed8cbf776393bd26306
0xd85865bb2ba970bdfe158bad8997906c1b14e50e
0xf45e90feeeeb615f7c172ef29ed43d09b4672055
0x839c4a98de3bff0e38018b8c6f1530fb8824ada6
0xd9d1416f342be61b9bf12749d8081c8554dbc04b
0x490bcf3a1a08a0ceb20cce20d717d722aafdc8a7
0x574efad5f3187e5c5d2bfd1f3fc00521108495b2
0x9dc8a5ab2ea94a870efe9b9e1a909ef19b6f7a08
0x5d853d19ecf48a85e64acdcd69eaf7999a8e1986
0xbdd00fad0f078f2994cf9944905ccba8f5fbc6cf

Reasoning

from create_safe_address safe_address transfer_ETH_Tx
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0xe6ba3ad4ecb76562c5c9161c42edf59d6037f7d9 0xd97accbd8cffd6bf612e3ed8cbf776393bd26306 0x6bd265f626da94ece55f89351e721cc1f3a8d8416d7843845562fa51b36ec455
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0x34b6dd6cd60e979d5065cfe46677a83266aff30f 0xd85865bb2ba970bdfe158bad8997906c1b14e50e 0xcf56ef1e5ed50f2ce5f1231bbe62abb1bd9cfa9689b5197f639b042a3f8a3b5f
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0x9bcae9bcf8e2946ca80b37cb01a895b7025e2d8c 0xf45e90feeeeb615f7c172ef29ed43d09b4672055 0x57f1ab7cc1e9afacecbe009b0596a01a501956fc07ccf39dbdab2737ff05063b
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0xa4495fddbd88193a84a25339bd896548209e492a 0x839c4a98de3bff0e38018b8c6f1530fb8824ada6 0x4e9a6c6efa4cf1362e80ff2d33f13fedc2ad13d81cd6aa421e11d88db2435da2
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0x97c0776dedfb9b10367232a1046d856d919a20c1 0xd9d1416f342be61b9bf12749d8081c8554dbc04b 0xc13e72349d475f6f7a26e8fb99200409ca11e0d4a5e311584c3bdd1d6f48873a
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0xc9c907939bdbd0351b79b167b1da2b3138310873 0x490bcf3a1a08a0ceb20cce20d717d722aafdc8a7 0x31a5997c6764fcc0f566ecfe4436f648418676cf22fafc7536625bcfd5e62e3b
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0xe514c34c255e83f58b03bba8682d12901bd6f60e 0x574efad5f3187e5c5d2bfd1f3fc00521108495b2 0x5af5d0264845bc4c16cb6ac432759159ea62f0e061ab89e5adcefae250c3fbcc
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0x18a78e851021bddca095663d0c7d1f687cb61aaf 0x9dc8a5ab2ea94a870efe9b9e1a909ef19b6f7a08 0xf6318f740dfe1ebebfdb321579c91eb61462e33a424eac685617d4f6bd2381a0
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0xf28fae87452ecbbc98177f49f56edfc59db3dfed 0x5d853d19ecf48a85e64acdcd69eaf7999a8e1986 0x0cdc250c47e71057ebe4c1eb662169048251eed440856e389781458993a12dab
0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 0x182024717793522e5386a8c42228831fe5f0e4ca 0xbdd00fad0f078f2994cf9944905ccba8f5fbc6cf 0x480b7e75aaf4b23433830d571c648157164a8aab7a89ee15a9c74e9897e06fed

  1. This is a data table about 0x2f33fac40ad14baa667cd0ddc76d424c185a3bc2 sending ETH to 10 addresses and created safe.

  2. Most transfers are 0.9/1.7/2ETH and occur within 15 minutes (Dec-26-2020 05:26:05 AM +UTC) -(Dec-26-2020 05:41:56 AM +UTC)

  3. The 10 latest transactions for these 10 addresses invoke a large number of the same smart contracts at similar times : Proof Of Stake Pages / Socket: Registry / StarkNet: StarkGate ETH Bridge / 0x: Exchange Proxy / Index Coop: icETH Token / '0xeb61393503691c6E20EAfD82655B7a94450C3124 '/'0x0e3EB2eAB0e524b69C79E24910f4318dB46bAa9c' (The last two contracts very few addresses have called the method.)

  4. The NFTs on these addresses are almost identical, including 11-12 ERC-721 Tokens,2-3 ERC-1155 Tokens

5.These addresses have an ETH balance between 0.002 and 0.007 and hold the same ERC-20Token

6.Most of the safes were created on May 7, 2022 and May 8, 2022, and there were only 2 transactions

Methodology

In the first step, I used the code to get the address where the safe was created. In the second step, I find out what address the ETH of the address where the safe was created originated from. In the third step, I counted the events of an address distributing ETH from different sub-addresses.

import requests
import json
api = 'https://api.etherscan.io/api?module=account&action=txlist&address=%s&startblock=0&endblock=99999999&page=1&sort=desc&apikey=YOUR API KEY' % list1[i]
                    r = requests.get(api)
                    if r.json()['status'] == "1":
                        index_item = r.json()['result'][-1]
                        addr = addr+str(i)+'|' + index_item['from']+'|' + index_item['to']+'|' + index_item['hash']+','

                    else:
                        print(r.json())
                    i = i+1

In the fourth part, I analyzed the events distributed exceptionally in the third step to determine if it was a Sybil Attacker

Safe Address

0x4B605c1ac2Fd74b5d6B619940B6fF9fe1C4ca83a

tschubotz commented 2 years ago

Thanks for the report. We have found the following addresses to be related to airdrop farming:

0xd97accbd8cffd6bf612e3ed8cbf776393bd26306
0xd85865bb2ba970bdfe158bad8997906c1b14e50e
0xf45e90feeeeb615f7c172ef29ed43d09b4672055
0x839c4a98de3bff0e38018b8c6f1530fb8824ada6
0xd9d1416f342be61b9bf12749d8081c8554dbc04b
0x490bcf3a1a08a0ceb20cce20d717d722aafdc8a7
0x574efad5f3187e5c5d2bfd1f3fc00521108495b2
0x9dc8a5ab2ea94a870efe9b9e1a909ef19b6f7a08
0x5d853d19ecf48a85e64acdcd69eaf7999a8e1986
0xbdd00fad0f078f2994cf9944905ccba8f5fbc6cf
sledp commented 2 years ago

Friendly reminder: You seem to have forgotten to update csv through the addresses in the report.@tschubotz