Harvest Keeper (AI dApp) Shenanigans
Artificial Intelligence (AI) is a term known from a long ago, but lately, this technology has reached the general public. It has the potential to change things positively but is also a new door to scams, unfortunately. Today I'll talk about Harvest Keeper a recently launched AI trading app that became another rug pull scam.
Introduction
In 2023 there has been an influx of activity related to AI, Chat-GPT became one of the most known "Next-Word Prediction Engine" where users could interact with this AI to create essays, computer science codes, music, and a lot of things that you can ask to Chat-GPT. There are fake-voice-generated AI and also fake-video-generated AI trending lately and also AI has reached Web3. But what is AI and how it works? people don't need to answer this question to begin using these kinds of programs and this has become a new way to exploit "human trust".
On February 2023, a new product gained a lot of attention and it was called Harvest Keeper, this project declared that their smart contract was tested by Contract Wolf, and the Developer team behind this dApp was tested by KYC to prove their "Real Identity", according to Markus Peters founder of Harvest Keeper:
[Harvest Keeper’s] decentralized protocol interacts with a trading bot, using built-in artificial intelligence to analyze patterns like risk, news sources and many other factors that effect the price formation of various crypto assets. (CryptoSlate)
Trading Bots aren't something new in crypto, but this dApp appealed to the user offering a simple way to use a powered AI trading bot with simply connecting their "Metamask or Trust Wallet", deposit an amount and then start to harvest a daily profit by clicking the "Harvest" button. Investors didn't need to understand how the trading bot opperates, or the role of the AI in all of that, they only needed to interact with the Harvest Smart Contract and starting winning profits everyday.
Using my words the dApp worked like this:
- Interact with the Smart Contract of Harvest Keeper in the Binance Smart Chain (BSC) Network.
- Sent Binance-Peg BSC-USD token.
- Harvest (Claim All Reward) of Binance-Peg BSC-USD Everyday thanks to AI.
And when the people started to receive their rewards the activity of this dApp started to increase daily until the day this dApp "was hacked" with more than 1M of Losses, but before reaching the conclusion let's answer some questions related to the "AI Used".
How does the protocol/dApp use AI technology, and what specific AI techniques or algorithms does it employ?
The Workflow Of The Bot Based On Ai
Harvest Keeper bot using algorithms analyzes the patterns, risks and factors based on past experiences to generate maximum profits 24 hours a day. Hence, each action of the bot is based only on objective data, excluding assumptions and hypotheses. The immense abilities of AI eliminates the possible human errors guaranteeing a reliable passive investment aimed at increasing capital. And each Harvest Keeper user gets a fixed daily reward of 4.81% of the deposit daily! Rewards can be withdrawn at any time as well as reinvested for even bigger profits!
Bot Maximum Efficiency
Automated trading system of the Harvest Keeper bot gives a high level of efficiency, thanks to its maximum formalization. The bot algorithm is written in maximum details which in its turn reduces the likelihood of blind spots in its trade, because the absence of some conditions for entering or exiting the market can lead to incorrect decisions of the program. Harvest Keeper is maximally adapted to the current realities of the cryptocurrency market.
Development team, after writing of the algorithm, together with the leading traders have conducted all the necessary tests, simulating all kinds of market situations:
- Market growth along with a bull-run trend;
- Market fall along with a bear-market trend;
- Crisis in the segment of selected assets;
- Sharp swings;
- Lingering sideways movement;
- Sharp market crashes;
- Active influence of whales on the market and others.
This extract is from GlobeNewsWire because their whitepaper, twitter, medium dissapeared from the Web2 (Error 404). But after reading we can understand that their AI is "pretty competent".
What benefits does the integration of AI bring to the protocol/dApp, and how does it enhance its functionality or user experience?
The main benefits was the opportunity to use this "AI Trading Bot" through their dApp and earn these kinds of rewards (by GlobeNewsWire):
Thanks to HK's AI abilities market risk is reduced, which increases trading opportunities in difficult market situations and this in turn allows to allocate assets more wisely.
As the result of the trading bot work all the investors get daily rewards of 4.81%! And in 21 days the income becomes 101% of the investment!
Are there any potential risks or limitations of using AI in the context of the protocol/dApp, if yes, how can they be addressed?
Because the investors needed to interact with the smart contract using their "Trusted Wallets" it had room for exploits, and this was the case.In the audit made by ContractWolf they specified that "Owner can take tokens/USDT from Contract" and this happened when the function "getAmount" was called to sent all the volume that Harvest Keeper had to a single Wallet. Besides from that this smart contract used Ice Pishing to affect these wallets not only in the BSC network, but also the Ethereum, Polygon, Avalanche, Arbitrum and the BSC Test-Net.
- Ice phishing is a type of web3 attack that deceives users into manually granting permissions by signing and approving requests.
- In March 17 is when this transaction happens where all the funds from Harvest Keeper were moved.
- Because this dApp worked only with a Stablecoin pegged to the dolar (BSC-USD) the volume of tokens is considered in a ratio of 1:1 to the $USD.
- One of the things the dApp offered was a referral system, where investors could increase their daily earnings by inviting friends, and finally on February 17, 2023 more than 30 users reached this app and this became the starting point of the uptrending.
- Every day after the 17th more people started to arrive and on February 25 new users reached their biggest spike with 105 new users.
- We can see that the retention of users was really good because most of the days the number of existing users increase reaching a peak of 669 Existing Users on March 16 just before the scam.
All the Activity had an uptrend until March 16 day when the dApp reached:
- 1,280 Transactions where 1,220 are transfers of BSC-USD using the dApp smart contract.
- 160M Units of Gas used on that day with an equivalent of 0.813 BNB in fees or $260 in $USD.
- 669 + 82 = 751 Active Users.
- A volume of $165,000 being moved through the dApp smart contract.
- On March 17, at 16:00 UTC+0 is when the biggest volume of BSC-USD is transferred with a total of $743835.9 in 26 transfers.
- But only $709,885.5 is sent to the "exploiter wallet" so on that hour a volume of $33950.4 is moved through the dApp prior to this last transfer.
- Before, the Maximum volume was $10441.1 during the peak of transfers (72) at 13:00 UTC+0.
- After the "Last transfer" the dApp continues it's activity making transfers with Zero value in BSC-USD, until March 21.
- Investors are all the users that interacted with the protocol sending funds to the dApp, the "Exploiter wallet" only received funds and because of that isn't present here.
- A total of 1,476 Investors presented direct Losses with the Usage of this dApp with 7 investors losing more than $10,000.
- A total of 192 Investors didn't lost their initial funding but only 12 received more than $1,000 in rewards.
- In the end this dApp affected more than 80% of the total investors.
But there are more than $709,885.5 in losses because ~$219,000 have been stolen through Ice Pishing.
- It was easy to track the funds during the first movements, because the amount was moved through a single wallet every time, but after the funds are moved to 0x0e17aab99e766e090ea5348c741565a7bd73552c this wallet proceeds to sent the funds to 594 differents wallets as we can see in the table above as the "Seventh Movement".
- I tried to track the "Eight Movement" but the amount of wallets rise up to the thousands so I decided to stop at the Seventh Movement.
- But there is something important here, because this wallet received a total of $1,048,207 and this is not only from the direct funds stolen from Harvest Keeper dApp but also from the Ice Pishing transactions this dApp made.
- Is the 0x5c67a52edc7a3cc78fed4845c28e6e444151cf6d wallet that received $709,885 in the Fourth Movement but ultimately sent $250,010 and $798,197 in the Fifht Movement to 2 different Wallets.
So now we can track the transfer activity of this wallet (0x5c67a52edc7a3cc78fed4845c28e6e444151cf6d) to see where is the origin for the funds stolen by the Ice Pishing.
Unfortunately, none of these wallets seems to have interacted with the Harvest Keeper dApp, and most of them had their creation date in the last weeks, however more addresses began to appear:
- 0x15a8abbbd1b3ff9217e2f32a7f5e4ac81ca80013 Transferred $140,115 + $60,774 in BSC-USD
- 0x7704204c08d96d5d7472c01c0d2b8d44048e372a Transferred $98,917 in BSC-USD
- 0xef1a69d33762ba1a53ddf37185c1d376828a098a Transferred $14,243 in BSC-USD
So now I'll look if Investors from Harvest Keeper sent transfers to these three accounts.
- Finally the wallets that sent BSC-USD to 0x5c67a52edc7a3cc78fed4845c28e6e444151cf6d are the ones receiving the Ice Pishing Transfers from Investors.
- Of the 3 wallets previously 0x15a8abbbd1b3ff9217e2f32a7f5e4ac81ca80013 is one of the wallets that had most variety of assets and it's swapping differents assets received to BSC-USD and that's the reason the amount of $BSC-USD sent to 0x5c6...f6d is higher than the amount directly stolen from Ice Pishing.
- Besides these wallets also had activity in other chains such as Ethereum where the Ice Pishing also happened.
- $BSC-ATOM. $BSC-AVAX, $BSC-ETH, $CAKE and many other assets were swapped for $BSC-USD.
-
Harvest Keeper targeted the Binance Smart Chain Network, where most of their activity is concentrated, and from that, all the users that interacted with this smart contract started to lose assets on different blockchains because of the Ice Pishing attacks.
-
As explained before not only this wallet received funds there was many other wallets that received funds via Ice Pishing and Ethereum was the 2nd Network most affected by that.
Harvest Keeper an AI Nightmare
Harvest Keeper appealed to investors from the Binance Network offering a simple way to earn rewards thanks to their "AI-based" dApp, when people started to earn rewards it's activity skyrocketed until the day when the smart contract that every investor accepted with their trusted wallet turns against them sending all the funds to a proxy wallet, but it didn't end here because days after the dApp started to Ice Pishing every wallet that interacted before, affecting every investor that used their main wallet losing all their assets in all their Networks.
Although the losses are below $1M (According to News) in reality is more than that because of the Activity behind this Scam.
It's seems that "AI" was behind all the complexity in how they used an absurd amount of proxy wallets to made the Ice Pishing, and diverge the funds in more than thousands of wallets and although I tried my best to dig deeper into the matter, it was impossible considering all the effort put by the team behind this project to make one of the first "AI scams" in the web3.
Harvest Keeper vs Automated Trading using Trading Bots (Stoic - TradeSanta)
Harvest Keeper looked to solve a dilemma for every new trader in the crypto environment "how to correctly use trading bots?", to compare this project against others I looked into Stoic and TradeSanta two different platforms that offers Automated trading via trading bots, and the difference became obvious:
- Both projects ask for an account on a Crypto Exchange such as Binance instead of asking you to accept a smart contract with your Metamask or Trusted Wallet, and after that these applications helps you to "Tune" your own trading bot.
- You can "Tune" your bot manually or use a popular config made by other traders, but in the end there isn't something magic as an "AI trading Bot" that can choose the "Best automated strategy" this is something every trader need to adjust using the data provided by these projects and their "Strategies" that can be developed with AI over time.
The Future of AI in Crypto
The case I looked at was a negative perspective of AI in Crypto although it can help developers to test their smart contracts or improve their dApps, AI is still considered something magical that can solve everything, and because of that people will continue to trust new projects that will implement AI to solve their everyday problems such as "Crypto Trading", and although trusted projects are going to appear, newer frauds and scams abusing the "AI" concept will continue to born offering solutions to only 2 clicks, "Approval" and "Claim".
Is a personal task to always manage your wallets correctly without trusting every protocol in the web3, if you can't create more wallets to experiment with new dApps then these scam "dApps" that had thousands of proxy wallets will continue to abuse poor wallet management from the users.
Methodology
Dashboard Objective
Show how AI could have a negative impact on crypto as a new way to scam investors, because of the "human trust" put on these unkown AI dApps.
Dashboard Method
Using Flipside Tables of Binance Smart Chain, Ethereum, Polygon, Avalanche and Arbitrum I'll track the activity of Harvest Keeper in the different chains,
--Tables Used to get the Transaction and Transfer Activity from Harvest Keeper:
lower('0x28120471E1e42e15a71Af5E39cA9f93099F34d2d') as "Harvest Keeper Contract" -- For all Chains
lower('0x55d398326f99059ff775485246999027b3197955') as "BSC-USD Token" -- Only for BSC
--For Binance Smart Chain Activity
bsc.core.fact_token_transfers
bsc.core.fact_transactions
--For Other Chains Activity
avalanche.core.fact_transactions
arbitrum.core.fact_transactions
polygon.core.fact_transactions
ethereum.core.fact_transactions
ethereum.core.ez_token_transfers
ethereum.core.ez_eth_transfers
--For Tokens ($MATIC, $BNB, $WETH, $AVAX) $USD price
ethereum.core.fact_hourly_token_prices
crosschain.core.fact_hourly_prices
Dashboard Data Sources
Harvest Kepper Image from CertiK
"AI-based" dApp Harvest Keeper drains millions in users' funds from AmbCrypto
New Crypto Platform Based On Artificial Intelligence - Harvest Keeper by GlobeNewsWire
AI dApp Harvester Keeper Gets Hacked For Almost 1M by CryptoSlate
Harvest Keeper ContractWolf Audit
TradeSanta Guide to Automated Trading
MetricsDAO Bounty Question
"AI" has been the buzzword lately, from the launch of stable diffusion to ChatGPT, its impact has been felt across various industries. As the crypto industry continues to evolve, it is becoming increasingly important to understand the impact of AI on crypto. To this end, we are launching a bounty that seeks to explore the intersection of crypto and AI.
To participate in this bounty, choose any protocol or decentralized application (dApp) that leverages AI, and answer the following questions:
- How does the protocol/dApp use AI technology, and what specific AI techniques or algorithms does it employ?
- What benefits does the integration of AI bring to the protocol/dApp, and how does it enhance its functionality or user experience?
- Are there any potential risks or limitations of using AI in the context of the protocol/dApp, if yes, how can they be addressed?
Bonus question: Compare the protocol/dApp that uses AI to another protocol/dApp that doesn't use AI but has similar functionality. How does the integration of AI enhance or detract from the user experience or the overall performance of the protocol/dApp compared to its non-AI counterpart? Are there any notable differences in terms of security, scalability, or efficiency between the two protocols/dApps?