October 31, 2023 12:39:23 Beijing time,Unibot suffered a malicious exploit and lost $640,000 in assets.The attacker exploited an arbitrary call vulnerability in the Unibot router contract to transfer $640,000 worth of various tokens pre-authorized to the routing contract to his own name.
Let us first understand the vulnerability analysis and attack process of this incident.
Vulnerability analysis
Function 0xb2bd16ab() does not properly check input parameters, specifically varg 0 and varg 4 , which are used to arbitrarily call the external token contract and execute the transferFrom() method.
Attack process
The attack started at 12:39:23 on the 31st Beijing time and lasted until 14:09:47 on the 31st. During this period,The attacker executed 22 attack transactions, calling the attack contract"0x5456a7bf()"method, which repeatedly calls the Unibot router contract"0xb2bd16ab()"method to transfer various tokens from the victim’s address to his own account.
A total of 42 tokens were transferred via routers from 364 victim addresses to the attackers, who subsequently sold the tokens,Earned a total of 355.5 ETH (approximately $640,000).
The Unibot team responded later by deploying a new router contract. On their official X account they also announced a compensation plan for all victims. Currently all 355.5 ETH have been transferred to Tornado.Cash.
Telegram bot
This attack is very similar to previous Maestrobot incidents.On October 25, CertiK Alert issued a warning on the X platform that the router contract of the Telegram robot project Maestro Bots was attacked, resulting in a loss of approximately US$500,000.
Telegram bots are an emerging field in the Web3.0 world, which allow users to perform various DeFi operations through the Telegram interface while integrating tokens into it. However, distinguishing true innovation from confusing illusions is becoming increasingly complex.
The CertiK security team conducted research on 61 projects in CoinGecko’s Telegram bot token list,It was found that nearly 40% of the projects were suspected to be dormant and may be fraudulent., or face the risk of being unable to recover from the sharp sell-off. The trading mechanisms of these platforms are undoubtedly innovative, but many lack critical technical details, especially information about in-app wallet private key management. We recommend that users operate with extreme caution on these platforms, minimize interactions with them, and avoid long-term storage of assets.
Learn about the Telegram bot and its token
Telegram bots are automated programs that run through the Telegram chat program.They can conduct transactions, provide market data to users, assess sentiment on social media, and interact with smart contracts through execution commands initiated through the Telegram interface. Bots of this type have been around for years, but they have gained attention in recent years with the emergence of Telegram bot tokens.
Telegram Bot Token is a native token integrated into Telegram Bot and is mainly used for diverse trading functions such as executing DEX transactions, managing portfolios across wallets, Yield Farming, and other feasible operations related to DeFi. These tokens essentially allow users to connect to the entirety of DeFi simply by interacting with the Telegram interface.If these programs can remain secure and functional over the long term, it could have a significant impact on the overall accessibility of DeFi.
After July 20 this year, the popularity of these tokens increased dramatically, with some tokens rising by more than 1,000%. This trend reflects the cyclical mania common in the Web 3.0 community, driven by the narrative resonance of the Web 3.0 currency community on Platform X (formerly Twitter).
Especially after Unibot came to prominence, a large number of TBTs emerged. As of August 3, 2023, CoinGecko’s Robot Tokens section has listed 61 such systems.
Crossing Narrative Crossroads
TBT (Telegram Bot Token) occupies a unique position in the Web3.0 field. On the X platform (formerly Twitter), Web 3.0 currency enthusiasts often discuss them as utility tokens. Previously, the word practical has been associated with meta-narratives in the field of Web3.0 currency, usually involving stories in professional industries such as artificial intelligence, financial technology, logistics, and cross-border transactions. TBT was originally developed with a utility narrative, aiming to decentralize and improve trading activities through innovative user interfaces. However, TBT actually goes beyond a single pragmatic metanarrative, finding resonance in a variety of meme and non-meme narratives.
Meanwhile, as the TBT narrative develops,Periodic hype surrounding mini-game meme tokens emerges, specifically a project called $HAMS. $HAMS is a short-lived meme token that allows users to place bets on hamster race live streams. However, $HAMS died shortly after its launch after community members accused the operator of reusing hamster video footage. This gave rise to various other gaming commemorative tokens, also known as TBTs. One of the tokens is called “$TETRIS”, where users can gamble and participate in Tetris competitions between players. The connection between certain game commemorative tokens is formed through widespread mentions on the X platform.
Another example of TBT narrative crossover involves PAAL AI. While this is not a dedicated meme, the project develops a Telegram chatbot similar to ChatGPT. The token and project structure are also similar to other TBT structures. What’s puzzling is that the project doesn’t seem to be making a Telegram chatbot, but rather a ChatGPT-like web interface. However, the bot can still be integrated into users personal Telegram channels via API.
CoinGecko’s TBT Classification
Shortly after the launch of Unibot, CoinGecko launched its detailed list of TBTs. The list was originally published around July 20 and contains around 30 coins. In just a few weeks, that number ballooned to 61. We analyzed the list using a variety of methods, including composite indicators such as price momentum, liquidity dynamics, and trading activity, and categorized the projects based on whether they were likely to die or whether trading was still active. The specific distribution as of August is shown in the bar chart below:
Of these 61 projects, we classify 37 as active and 24 as dead or potentially dead. These projects are either down more than 85%, have little to no liquidity in their pools and no activity, or are most likely exit scams. That is, nearly 40% of projects in this category are dead or unlikely to recover.
It is worth mentioning that the wallet provided when registering a Telegram bot account is automatically generated, and the private key is provided later. Unibot did not specify how or where these private keys are stored, whether locally or behind the server.This means that using these Telegram bots for both trading and storing funds is extremely dangerous.
Projects not integrated with Telegram
During the course of our research, we discovered that some projects listed as TBT either did not integrate their tokens into Telegram or did not have Telegram trading bots but only regular Telegram community channels. Some projects have external DApps with the same functionality as Unibot, and other projects’ roadmaps indicate that Telegram integration will be implemented in the future.
Other projects dont have these features, but their presence on this list may be indicative of the intersectional narratives we mentioned earlier. These projects may self-identify as TBT-type projects when submitting applications to CoinGecko and indicate a goal of integration or future integration. We’ve seen how narrative hype can amplify certain categories of tokens, with some tokens even existing in a “meme-like” manner, even if the project actually has nothing to do with the category to which it is assigned. According to our analysis, the impact of this type of narrative hype is huge enough to partially explain the above divergence.
write at the end
Whenever a new narrative catches on in the digital currency community, a slew of similar projects continue to publish with the same narrative, many of which are either exit scams or attempts to steal investors’ assets, and TBT is no exception in this regard.
The development of TBT may be a unique innovation for the DeFi community. While the utility of such tokens is unclear, the emergence of similar platforms offers investors new ways to aggregate data into trading strategies.However, users should be extremely cautious about these platforms.
In the field of TBT, projects exist through memes, and their value may disappear overnight, which requires us to maintain a cautious and informed attitude of participation. Many projects fail to provide clear documentation to users on where their wallet keys are stored and how they are generated, so there are huge unknown risks.
Users should not consider using these platforms for storage.Users should also exercise caution when linking external wallets to these platforms, or interacting with websites generated by these projects.
