safe-global / safe-user-allocation-reports

The proposed list of SAFE user allocations has been published on the Safe forum.
Creative Commons Zero v1.0 Universal
34 stars 10 forks source link

Sybil Attacker Report #409

Closed Parkcora closed 2 years ago

Parkcora commented 2 years ago

15 Related Safe Addresses:

0xe08f9e738ddFC58DDC669E7400B817b099Ac2592
0xcC91634e10345125E0234EF88cf422381D9E7483
0x91598E8b03332339DB7FcD0CfAedB41F0c77131e
0xb51C321b30a173Fd160Ddc21DEa46f91a75E24a4
0x65A6fb41eD0F7806ADD5969984Ca77F7B5a0E4e7
0xF917b392d20f186A11fDB7a660BdE64B426D6776
0x7dD72870863c6Bb12534334A14d15B5Ef5801421
0xBB8a6547F79790d3f7a5A7A0f7e73C7aa04A7d90
0x1cD291E75bd43F27A6e81Ea0B0C4862ed41406D6
0x4d83B3728850FDaEFe65360ae1B99665186a5866
0x284aC2a249A6ab1faEF688B4De6E9746c47b0cae
0x57a71E92cF9d9D88d2A81127e61C642D0174b2Bf
0xf67fDD47F522E7d6Ea11324E45A01914653F0dbC
0x07442F52C92152dE8A8A3984de7A999770809E57
0x637de2dA47603Af37Cb3A4A0Df5D03590DD9De4A

Reasoning

Those addresses have the same historical behavior pattern:

  1. All safe addresses created by 0x4575a64468CCA887757773CC0cd48E24a501d2A5 at 19:47~19:53 on 2020/02/28.
  2. All safe addresses have exact the same transactions as follows (even timestamps of the same behavior from different safe address are the same.): 2.1 2020/02/28 20:53:59 placeValidFromOrders 2.2 2020/02/28 22:26:32 Approve 1000 DAI for Gnosis 2.3 2020/02/28 23:01:59 request Withdraw 2.4 2020/02/29 01:25:47 withfraw 1000 DAI 2.5 2020/02/29 01:40:25 Send 1000 DAI 2.5 2020/06/30 17:34:44 request Withdraw 2.6 2020/06/09 22:33 create proxy on BSC
  3. Each safe address contains only the above transactions.

Could be verified by visiting the debank links in the following table.

safe address all transactions
0xe08f9e738ddFC58DDC669E7400B817b099Ac2592 https://debank.com/profile/0xe08f9e738ddFC58DDC669E7400B817b099Ac2592/history
0xcC91634e10345125E0234EF88cf422381D9E7483 https://debank.com/profile/0xcC91634e10345125E0234EF88cf422381D9E7483/history
0x91598E8b03332339DB7FcD0CfAedB41F0c77131e https://debank.com/profile/0x91598E8b03332339DB7FcD0CfAedB41F0c77131e/history
0xb51C321b30a173Fd160Ddc21DEa46f91a75E24a4 https://debank.com/profile/0xb51C321b30a173Fd160Ddc21DEa46f91a75E24a4/history
0x65A6fb41eD0F7806ADD5969984Ca77F7B5a0E4e7 https://debank.com/profile/0x65A6fb41eD0F7806ADD5969984Ca77F7B5a0E4e7/history
0xF917b392d20f186A11fDB7a660BdE64B426D6776 https://debank.com/profile/0xF917b392d20f186A11fDB7a660BdE64B426D6776/history
0x7dD72870863c6Bb12534334A14d15B5Ef5801421 https://debank.com/profile/0x7dD72870863c6Bb12534334A14d15B5Ef5801421/history
0xBB8a6547F79790d3f7a5A7A0f7e73C7aa04A7d90 https://debank.com/profile/0xBB8a6547F79790d3f7a5A7A0f7e73C7aa04A7d90/history
0x1cD291E75bd43F27A6e81Ea0B0C4862ed41406D6 https://debank.com/profile/0x1cD291E75bd43F27A6e81Ea0B0C4862ed41406D6/history
0x4d83B3728850FDaEFe65360ae1B99665186a5866 https://debank.com/profile/0x4d83B3728850FDaEFe65360ae1B99665186a5866/history
0x284aC2a249A6ab1faEF688B4De6E9746c47b0cae https://debank.com/profile/0x284aC2a249A6ab1faEF688B4De6E9746c47b0cae/history
0x57a71E92cF9d9D88d2A81127e61C642D0174b2Bf https://debank.com/profile/0x57a71E92cF9d9D88d2A81127e61C642D0174b2Bf/history
0xf67fDD47F522E7d6Ea11324E45A01914653F0dbC https://debank.com/profile/0xf67fDD47F522E7d6Ea11324E45A01914653F0dbC/history
0x07442F52C92152dE8A8A3984de7A999770809E57 https://debank.com/profile/0x07442F52C92152dE8A8A3984de7A999770809E57/history
0x637de2dA47603Af37Cb3A4A0Df5D03590DD9De4A https://debank.com/profile/0x637de2dA47603Af37Cb3A4A0Df5D03590DD9De4A/history

Methodology

It can be identified by visualization and further analysis of the details of the above transaction listed.

Safe Address

0xD50fF80Ce8EFc38D024272f4019978Dc017eA200

tschubotz commented 2 years ago

Thanks for the report, we've found the following to be related to airdrop farming.

0xe08f9e738ddFC58DDC669E7400B817b099Ac2592
0xcC91634e10345125E0234EF88cf422381D9E7483
0x91598E8b03332339DB7FcD0CfAedB41F0c77131e
0xb51C321b30a173Fd160Ddc21DEa46f91a75E24a4
0x65A6fb41eD0F7806ADD5969984Ca77F7B5a0E4e7
0xF917b392d20f186A11fDB7a660BdE64B426D6776
0x7dD72870863c6Bb12534334A14d15B5Ef5801421
0xBB8a6547F79790d3f7a5A7A0f7e73C7aa04A7d90
0x1cD291E75bd43F27A6e81Ea0B0C4862ed41406D6
0x4d83B3728850FDaEFe65360ae1B99665186a5866
0x284aC2a249A6ab1faEF688B4De6E9746c47b0cae
0x57a71E92cF9d9D88d2A81127e61C642D0174b2Bf
0xf67fDD47F522E7d6Ea11324E45A01914653F0dbC
0x07442F52C92152dE8A8A3984de7A999770809E57
0x637de2dA47603Af37Cb3A4A0Df5D03590DD9De4A
CaptainTee commented 2 years ago

The fact that these issue was certified VALID gives me good hope that the addresses pointed under SECTION B of my report in #504 will be accepted

All the 13 addresses certified as Airdrop Farming here are also found in my issue #504

Congratulations to you, friend