Two random facts about the hack of @BalancerLabs pools:
- the hacker made five 0.1 ETH withdrawals from Tornado, in the first of them relayer was used and the rest using his own address. Consequently, the hacker had experience with Tornado and he made at least 5 deposits there.
Currently, there are 1312 unique addresses that deposited 0.1 ETH into Tornado. Of these, 112 made at least 5 deposits. In addition, the number of addresses can be reduced by using heuristics from this paper: arxiv.org/pdf/2005.14051…
It will be cool if someone takes a look at it.
- the contract that withdrew the money from the STA pool couldn't withdraw it from the STONK pool due to an "Out of gas" error. However, after 40 minutes, the hacker rewrote the code and drained funds from the second pool using a new contract.
It is still very surprising to me that attackers rarely use SELFDESTRUCT after their hacks. This would make it impossible to quickly analyze contracts using only explorers like Tenderly.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Alright, I've been sitting on this news all day, but let's look at the @BaldBaseBald deployer.
This is definitely someone from Alameda, but I don't think we can safely say that this is @SBF_FTX (even though he is a psycho)
Let's go👇
2/12
I started the morning by making sure that he is not a Coinbase insider, despite the mention of the address (0xccFa05) as the largest holder on DeFi governance forums
Upon closer inspection, one could find that cbETH was not minted by Coinbase, but was bought on Uniswap v3
3/12
Despite the incredible amount of funds the address held, the leading exchanges used were Binance, FTX, Coinbase
Nothing out of the ordinary, right?
It could be anyone, so I went to see if any previous addresses were associated with exchange accounts
For more than a week, someone has been trying to carry out a governance attack on @SwerveFinance (a dead Curve clone) and steal $1M+ in various stablecoins
Let’s figure out why he didn’t succeed and also find out who the exploiter is👇