Users and Transactions

Investigating Top transacted addresses

• We can see that in the past 3 months, the number of daily new users before September 19th, was about 200 on average, but after that, it spiked to about 3000 new users per day and reached to 35.8K new users on October 4th.

• The address 0xc38d4991c951fe8bce1a12beef2046ef36b0fa4a is a contract address related to AMB Rinkeby Bridge. The main use case of the Arbitrary Message Bridge (AMB) between the Rinkeby Testnet and the xDai chain is to relay tokens emitted by Reddit (e.g. Moons and Bricks) to a chain with real value (xDai) through the AMB extensions.[Source]
• 3 addresses made more than 72K successful transactions on October 4th on AMB bridge.
• More than 54K unique address transacted with the address 0x37efe9b31830653039edc3b212a6e1b882cd46b4. each address only had 1 transaction with that address.

• No token transfers were found in the activity of those 3 addresses that had transactions with the AMB contract.

• All transactions with 0x37efe9b31830653039edc3b212a6e1b882cd46b4 address was transferring exactly 0.0099685 xDAI to that address except for one transaction that was 0.0109685 xDAI.

  \

• We can see that all the transfers transactions happened in 3 hours with about 300 transactions per minute

Analyzing those 54K unique addresses

• Those 54K addresses start receiving 0.01 xDAI since 20th of september.
• each address only received 1 transaction with amount of exactly 0.01 xDAI.
• on October 4th, 35.7K new addresses received 0.01 xDAI.
• All 0.01 xDAIs was sent from one address: 0x562a9171c251777766285e877c80e7f4cc02d165

• We can see that none of those 54K addresses was active on other chains

• We can see that the address was active since May 2021.
• daily Number of transactions and transfer volume shows that all transfer transaction amounts are 0.01 xDAI since 28 May 2021.
• It seems that this address is a FAUCET address for xDAI on Gnosis.
• From September 19th to October 5th, we can see that transactions increased by more than 1000X.

• We can see on October 5th, 538 xDAI that recieved by more than 54K transactions were swapped to 0.4 WETH and then bridged out.

Summary and Conclusion

• First, we saw an unusual increase in daily new user numbers from September, 19th to October, 5th and transactions numbers from October, 5th to 8th.
• We identified two addresses with the highest interaction on the 4th and 5th of October:
  • 0xc38d4991c951fe8bce1a12beef2046ef36b0fa4a: AMB contract address
  • 0x37efe9b31830653039edc3b212a6e1b882cd46b4: unknown address
• It's been found that 3 addresses interacted with more than 73K transactions with AMB contract addresses while More than 54K new addresses interacted with the unknown address. (1 transaction per address)
• Not any token or xDAI transfer was found in transactions with the AMB contract address.
• 35% of the total transactions sent by those 3 addresses to the AMB contract address had failed.
• NO relation between the AMB contract address activity and the unknown address was found. however, the concurrency of these two high transactions volume is still suspicious.
• It was found that all transactions to the unknown address were somehow similar:
  • the transactions were sent from new wallets that received only one transaction on Gnosis: 0.01 xDAI from 0x562a9171c251777766285e877c80e7f4cc02d165 and have no transactions on other chains.
  • all transactions to the unknown wallet were transfer transactions that exactly transferred 0.0099685 xDAI to the unknown address that happened in just 3 hours on October 5th.

• We identified two separate activities, one of them was related to increasing transactions count and transactions failure rate, and the other activity was related to the increase in new users number.
• The transactions to AMB Rinkeby Bridge contract caused the increase in TPM and transaction failure rate. the instability continued 4 days after these huge transactions that were sent by those 3 wallets. It seems that that was some sort of spam attack that was conducted by bots. This attack ==disrupted Gnosis network performance== for 4 days.
• The other incident that caused the increase in daily new users was because of a sybil attack. An exploit occurred to a faucet on Gnosis. more than 54K addresses received 0.01 DAI from the faucet in 12 days and then transferred it to a wallet in 3 hours. all received xDAIs were worth about $540 that was swapped to WETH and then bridged out.
• It is not known how the exploit occurred but if addresses with no activity on other chains were excluded from the faucet, this attack couldn’t happen.

There’s been some unusual activity with Gnosis. We are going to figure out exactly what’s going on using on-chain data.

What is Gnosis Chain

Previously known as xDAI, the Gnosis chain is a stable payments EVM (Ethereum Virtual Machine) blockchain designed for fast and inexpensive transactions. The network has been around for a long time, in fact, it is one of the first EVM sidechains, long before sidechains became a thing. [Source]

\n

• On 4th and 5th of October, 2 addresses had unusual transactions volume.
• We will investigate these two addresses.

• 35% of total transactions sent to AMB contract by those 3 addresses on October 4th failed.

Token Transfers

• Daily TPM and failure rate reached to high values on 5th to 8th of October.

Source of xDAIs

What happened to transferred xDAIs?

Methodology

• New users were identified by the first xDAI transfer transaction to the wallet. These data were extracted from gnosis.core.ez_xdai_transfers table.
• The number of transactions and users were extracted from gnosis.core.fact_transactions table.
• Transacted addresses were extracted from gnosis.core.fact_transactions table.
• Daily average of failure rates was calculated by averaging failure rates per minute.
• Failure rates were extracted from gnosis.core.fact_transactions table.
• xDAI transfers data were extracted from gnosis.core.ez_xdai_transfers table.
• To calculate the number of transactions of wallets on other chains, fact_transactions of each blockchain were used:
  • ethereum.core.fact_transactions
  • arbitrum.core.fact_transactions
  • avalanche.core.fact_transactions
  • bsc.core.fact_transactions
  • optimism.core.fact_transactions
  • polygon.core.fact_transactions