How to lose $2.5M, twice

Updated (June 16th, 2020): refuting blackmail theories

As part of our ongoing research on blockchains, we were able to spot some highly abnormal Ethereum transactions (Tx) early on. We’re referring to two recent transactions that led to millions of dollars in network fees being paid unnecessarily, instead of standard fees, that are usually less than $1. As a result, the sender lost this money as fees were paid to the block miner.

Our initial findings, posted on Twitter, were quickly noticed by the press

In this article, we will briefly summarize the issue at hand. We’ll continue to update with more findings as additional data is gathered. 

How did we discover these transactions?

We observed both transactions in real-time using our newly launched Ethereum fees observatory tool. This tool visualizes the fees of pending transactions in the Ethereum node’s Txpool. It can be used by users and analysts to monitor the current Ethereum fees and network congestion level.

With their extremely unusual fees, the transactions in question dwarfed all other transactions, making them highly visible and impossible to miss.

Abnormal fees highly visible in Zengo Ethereum fees observatory tool

At first, we assumed something was wrong with our data, but when we dived a little deeper, we quickly verified its validity. Using the Ethereum fees observatory tool, we were one of the first to identify the abnormal transactions.

Transactions details

There were two huge transaction fees. The first happened on June 10, 2020, and the second on the following day (today).

There are certain unmistakable similarities between the transactions, as they share the same sender, and the same exact fees (10,668.73185 Ether). However, some parameters weren’t the same as the blocks were mined by different miners (SparkPool, Ethermine ) and were sent to different receiving addresses.  

It is not money laundering

Some had suggested this might be a sophisticated money-laundering scheme to covertly send money from the sender to the miner. However, we find this theory highly unlikely due to the following reasons:  

  • This Tx was broadcasted and visible to the world (that’s how we saw it in our tool). If the intention was to commit money laundering, the sender should have sent the transaction directly to a colluding miner to prevent other miners from collecting it.
  • Sending via fees was spotted and became a very public event, defeating the purpose.
  • The second Tx with $2.5M fees was mined by a different miner.

It is not blackmail

Another theory we believe to be improbable was made popular by Vitalik Buterin on twitter.

According to this theory, attackers were able to take limited control over the service belonging to the victim’s account. With limited access, the attackers could not send funds to themselves. This can occur if the process is limited by a “White-list” that only allows sending funds to pre-approved addresses (e.g., customers).

However, according to this theory, the limited access allowed attackers to control the fee attached to the transaction. To monetize this limited access, the hacker blackmailed the service to pay a ransom, or else, the attacker would spend the controlled funds via enormous gas fees. To prove the seriousness of their claims, attackers spent these huge fees twice.

As we said before, we believe this theory to be improbable. 

If indeed this was a blackmail case, we would expect the service to defensively halt all operations immediately when they received the ransom demand, or at the very least after the first incident. They would then resume operations, but only after they made sure the root cause for the incident was resolved.

The address kept operating normally. (source: etherscan)

But the address continued operations in its usual manner, sending transactions, even after enormous fees were paid, as seen in the screenshot above.

For the ransom theory to be viable, we must assume the victim wanted to stop this address process, yet were unable to do so due to losing all control over it. For this to happen, the process controlling the address could not be operated from the victim’s environment, because if this were the case, they could have just shut it down, even if it meant shutting down all operations. 

The address is not a smart contract, either. Thus, it could not keep operating on the blockchain without someone controlling the private key and issuing transactions.

The only option left is that the attackers operated this address outside of the victim’s environment. Still, in this case, it’s hard to imagine why they would only have the limited control that forced them to take this hard blackmail route, instead of just sending the money to addresses they control.

Additionally, despite both miners that received the huge fees publicly asking the sender to contact them, no one responded. On June 15th, the mining pool responsible for mining the second transaction announced they had not been contacted by any entity with proof of holding the funds.

Therefore, they would be distributing the mining reward among the pool’s participants. If it were indeed a blackmail attack, we would expect the victim to immediately contact the miners to retrieve the lost funds.

What it might be

Our assumption is that the transactions result from some sort of bug in an automated script that operates this account. Supporting evidence for this hypothesis: 

  • Same sender, with the same exact, not rounded fees. 
  • The account used to send a transaction approximately every minute, so this did not look like a human operator.
  • The account continued to send transactions after the first $2.5M, including the recent additional transaction with $2.5M fees, so the error was not identified. If operated by a human, the issue would have likely been identified immediately and cause the account to stop sending.

We don’t yet know the bug’s exact details, but both transactions stood out in several parameters compared to other transactions with “normal fees” from this address. They were the only transactions with a relatively round value (0.55 and 350 ETH) sent from this account.  

These additional characteristics might suggest the transactions with enormous fees belong to a different process than transactions with normal fees, and the bug only affects this process. 

The sender’s address balance over time, with two noticeable drops due to the huge fees (Tx)

Concluding thoughts

The most important conclusion we can draw is that due to the automated characteristics of these transactions, the sender’s large remaining balance, and the continued operation of the sender, we may see a third transaction with $2.5M fees.

At Zengo, we’re keeping a close watch on this situation. We’ll keep you updated here and on our official and personal Twitter accounts. Stay tuned!