Gnosis, what’s going on?

In this investigation, we’ll try to identify the cause of the recent spike in Active Users and Transactions in the Gnosis ecosystem.

Agenda

1. Identifying the spike
2. “Who” is responsible?
3. What is going on?
4. Retrospective

The dashboard refreshes daily, if there’s an even bigger spike it will adjust accordingly

Latest date is NOT included as it’s never complete.

Core Metrics: Key Points

• Spike in transactions Starting October 3rd, ending October 9th
  • The spike in unique active users only shows up on October the 4th
• There is also a much smaller spike reflected in both cases, but the Transaction spike again precedes the active user spike.

There definitely is something fishy here, let’s dive deeper…

Fee Metrics: Key Points

• In ==Number of Transactions w/ Transaction Fees $== the transaction fee spike (left spike) sort of aligns with the transaction count spike, but not really as the fee increase comes earlier than the transaction spike.

• Subsequently, in the second spike (right spike), there’s not much of a transaction count increase initially, but there’s a massive Transaction Fee increase, only when looking at ==Unique Active Users w/ Transaction Fees $== we can see that this first spike in fees aligns with active users while the second spike in Users does not align with a spike in fees… 🤔

• The same can also be seen in ==Average transactions Per User w/ Transaction Fees== where we see that the first spike in average transactions per user sort of aligns with the fee increase but the second and third spike show a decrease in the transaction fees, meaning that the fees paid for each one of these transactions were probably much lower than the average fee paid per user or transaction… 🤔🤔

• This can be confirmed by looking at ==Unique Active Users w/ Fees per User== where we see that the average fee paid per user sort of aligns with the first peak in unique active users but the second peak (the largest one) does not align at all with a fee increase, in fact, the fees paid per unique active user are minimal to 0 fees! 🤔🤔🤔

Now if that’s not ==interesting== at the very least*, I do not know what is! Let’s dive deeper… Who’s the culprit?

What’s in the box?

And we have a ==winner== ladies and gentlemen!!

The wallet with the highest unique active addresses interacting with is 0x37efe9b31830653039edc3b212a6e1b882cd46b4!!! Yes, you read that right, it’s a wallet, not a contract!! Well, what in the heck is going on here?? 🤔🤔

Actually, before we dive any further, let’s first take a moment to appreciate the other nominees. It seems that 0x5f8030e1d9c3972cb9f9925ff5090694f13abd4e is also a wallet with suspicious behaviour, similar to that of our first culprit, but not to the same scale! Third but not least comes 0x0d69240be6c360c40d4a238299627de103201ff1, with very similar behaviour as the other two wallets.

After some manual inspection, one might say that heck, these are all programmed bots to create some noise on Gnosis, in which case you might be right. But why would someone do that? What’s the motive behind this? Is it something like what’s happening with XEN on Ethereum and other chains a claim (mint) attract on some token to generate hype so users can get rug pulled by the developer? Well, in this case, it does not necessarily seem to be so sophisticated. Although this could be a test to see if XEN can be launched with the same SUCCESS as in other networks? :thinking: Time will tell, but what we can try to figure out for sure is the nature of these wallets, programmatic or otherwise.

Let’s motivate what Average Unique Active Users per Number of Transactions by to_address this really means as a ratio. Well it means to take all of the wallets that have interacted with a to_address and divide the number of transactions that interacted with that same to_address which in turn will give you a measure of if all the transactions to that address come from the Unique active Users that interacted with that address in that period (hour ,day,week,month). A high score means that all of these unique active users interacted with just this address a low score will mean that these users also interacted with other addresses too on that period. From what we can see the top 5 wallets that can be identified earlier too have exactly the same ratio of 1, meaning that all of the unique active users that day that interacted with these wallets/contracts only interacted with them and nothing else. In this case, only one wallet is caught in here by “accident” as seen on the right pie-chart, this wallet is: 0x72d9e579f691d62aa7e0703840db6dd2fa9fae21. This wallet does the transfers between different wallets it seems with about ~ 3.6M Transactions at this point in time.

So, we’ve identified a few things here, such as these 5 wallets that are interacted with in very similar ways and we also have an “outlier” that seems to be sending and receiving amounts of xDAI in packs of ~0.25 xDAI from various wallets back and fourth.

Net transfer amounts of xDAI

Last but not least let’s explore how these transfers look under the microscope (transfer_period = minute) as well as by looking at each wallet individually, starting with our winner 0x37efe9b31830653039edc3b212a6e1b882cd46b4 that produced ~ 57k unique active user count spike in one day!

The rest of the wallets (for ease of use) [Ranked by Unique User count spike]:

1. 0x37efe9b31830653039edc3b212a6e1b882cd46b4 (Winner!)
2. 0x5f8030e1d9c3972cb9f9925ff5090694f13abd4e (2nd place)
3. 0x0d69240be6c360c40d4a238299627de103201ff1 (3rd place)
4. 0x36032ea08fbde8143e53afa9c752acd87e8fad7c (4th place)
5. 0xb9cd2daac4e0ebcf2da51705a0f02eee13072c3c (5th place)
6. 0x72d9e579f691d62aa7e0703840db6dd2fa9fae21 (6th place) [the outlier]

Transfers: Key points

1. The first place is shown by default and has a massive number of transactions ongoing in the wallet until a final exit after turning the xDAI into WETH , final transaction: 0x68aebf679e0f11c630c21911714485981ba3677adc26d5905f81eee7db967dce [Notably in early October]
2. The second place seems to have very similar behaviour, but it seems to be the experiment before the real thing, as the same behaviour is found but for much fewer datapoints (timestamps/transactions). [Notably in late September]
3. The third place seems to have exactly the same behaviour as our 2nd place winner, which looks like another experiment. Maybe the person didn’t catch all the bugs just yet. [Notably in late September]
4. The fourth place seems to be preparing by sending in/out a TestToken 0x36032ea08fbde8143e53afa9c752acd87e8fad7c (so it won’t show on the two top graphs as we look for xDAI transfers only).
5. I am not sure what is going on with the 5th one, maybe the bot started but there was a bug in the process :sweat_smile: or it’s simply a normal wallet caught in the crossfire.
6. Wallet number 6 is amazing, please brace (there are too many transfers plotted, and your browser may crash! Change the transfer_period parameter. Although when we look at the minute timeframe we see a periodical behaviour of amounts coming in and out of the wallet. It could be a dex trader-type wallet or maybe something else, but it looks very much like what you’d expect a programmatic trading bot to look with the Net amount xDAI being the cumulative profit over time. Although in practice here it’s probably mostly used for gas. My guess is that this could be the master wallet sending out the xDAI amounts or one of many.

Retrospective

I intuitively ==feel== like this is a common occurrence, this kind of behaviour may be common in low-fee networks. There’s always a bot-related trade-off when you set low fees for your network. Both arbitrageurs, MEV or sibyl attackers will want to choose the networks with the lowest fees as it’s vastly beneficial to spend only a few $ to achieve your goal vs a few 100$ or 1000$.

This still seems to me like a test for a much bigger thing (like XEN) or other spam-like attacks. I was not able to find any conclusive evidence that shows that there has been some sort of “exploit” or “hack” here. Just a bunch of wallet spawning (which can happen programmatically) and then xDAI sent to them to transact and send back. This is seen in multiple wallets (see section above) where the person was still figuring out the quirks to do it correctly and maybe got stuck once or twice. The TestToken makes me think that there will be another one of these coming very soon with a “real” token.

All in all, I am disappointed that this spike is not actual dApp activity and that it does not come from a specific dApp or user action, but I am intrigued to keep paying attention to the spikes to see what comes next, as my intuition tells me there is more here.

What can Gnosis do as a chain?

Well, black-listing wallets/contracts are not the best way to increase the de-centralization narrative and therefore is not a solution here. The engineering team could come up with some throttle coefficient for the network that applies to addresses that spam transactions too often, to reduce congestion and maybe further attacks of this magnitude. Yes, this is not perfect, but this is one of many solutions off the top of my head as I’m writing this.

Acknowledgements:

I want to thank Brendan Murray (Brendan Murray#3930) for allowing me to express interest in this investigation and motivating me and others with a bounty to explore the spike in active users in this ecosystem.