HNT fake recharge traceability - $40 Million defrauded

A number of group attacking activities have been found in the Binance accident of HNT misallocation, due to its system vulnerability, occurred a few days ago. This article will trace and analyze the attacking group with the largest amount, hoping the analysis will give all exchanges some insights to improve their resilience in regards to the underlying risk. Furthermore, this article will also expose the details of actual attackers, whose miner nodes are still working, so that anyone of interest can meet these attackers offline.

Background

https://www.theblock.co/post/170827/binance-accounting-bug-leads-to-20m-misallocation-of-hnt-tokens

On September 17, the Helium Foundation told The Block that there was a vulnerability in the Binance system, which mistook the user's MOBILE for HNT, causing the user to receive $20 million in HNT by mistake. And this mistake by the Helium Foundation is not a problem with the chain but with the Binance system.

Principle of the vulnerability

The reason for this vulnerability is particularly simple, even idiotic!

After the major exchanges shelf HNT, if the user deposits to the exchange, the exchange needs to go to the helium chain to check the transaction, and only after confirming that it is correct will it be displayed in the user's balance. Almost all exchanges use the official api interface of helium to check the transactions, so we will understand the return value of the interface when we compare it with the previous period and now.

When helium officially launched its own governance token MOBILE, it found that the interface of its own on-chain transaction information did not reserve a place for token, so it added the token_type field in the transaction field of HNT out of thin air! In 2022, there are still such brain-dead programmers and such brain-dead project parties? How can they not think of such an easy problem? They can't even separate the transaction information fields of the main coin and token. I even wonder if the programmers themselves have done something evil to complete the attack and arbitrage.

The key is that the project owner (@rawrmaan) doesn't feel a shred of responsibility and shifts it all to binance, saying that the HNT coin price has fallen because of binance. hmmm......

Attack Recovery

They really skim the pot clean ah, the following is a large attack group I found, let's look at the loss of binance in this group alone.

Using this vulnerability requires transferring MOBILE to one's account on the exchange, and then observing whether the amount of HNT in the balance of the user's assets on the exchange increases to test whether the exchange has this vulnerability, that is, to test the behavior, which is generally a smaller amount or a small integer, which is more characteristic. According to this feature can lock some test vulnerability of the transaction behavior so as to find the attacker, and then according to the attacker's historical transaction records can find the downstream attacked exchange user address, also can find the upstream to provide fuel fees and MOBILE token miners, along with miners and can find more attackers ......

The funding chart shows the trading chain of one of the big gangs found by this method. Combined with the aggregation behavior of the exchanges, it is possible to do an exchange classification of the addresses traced out and count the losses of each exchange

(*Unknown Exchange: may contain binance and crypto.com or other exchanges' user addresses, can't make a judgment because it's not aggregated yet)

The amount of binance losses in the table is very close to the $20 million losses published online, and there are some losses included in the unknown exchanges, which have not been categorized yet.

The gang attack started 30 days ago, which is the same as saying that mobile token just came out and was discovered and exploited the vulnerability to start the arbitrage of hnt, causing the coin price to fall all the way this month

I believe that not only Binance US and crypto.com have this vulnerability, but from the data given by coinmarketcap, there are also exchanges such as kucoin, gate.io, FTX, Bybit, etc., which will most likely have the same problem, and there are even exchanges that have already stopped charging HNT.

This group attacked the exchange user address list is published, you can claim it yourself.

Traceability Analysis

The attackers' miners' addresses are also physically concentrated near Huntsville, Alabama, USA, further confirming that the same group is responsible for the crime.

For more, please follow x-explore.

Mirror: https://mirror.xyz/x-explore.eth

Twitter: https://twitter.com/x_explore_eth