At 12:39:23 on October 31, 2023 Beijing time, Unibot was exploited due to a vulnerability, resulting in a loss of $640,000 in assets. The attacker exploited the "arbitrary call" vulnerability in the Unibot router contract to transfer various tokens worth $640,000, which were pre-authorized to the router contract, to their own account.
Let's first understand the vulnerability analysis and attack process of this incident.
Vulnerability Analysis
The function 0xb2bd16ab did not properly check input parameters, especially varg0 and varg4, which were used for arbitrary calls to external token contracts and execution of the 'transferFrom()' method.
Attack Process
The attack started at 12:39:23 on October 31 and lasted until 14:09:47 on the same day. During this period, the attacker executed 22 attack transactions, calling the "0x5456a7bf()" method on the attack contract, which repeatedly called the "0xb2bd16ab()" method in the Unibot router contract to transfer various tokens from the victims' addresses to their own account.
A total of 42 types of tokens were transferred from 364 victim addresses to the attacker's possession through the router, and the exploiters subsequently sold these tokens, obtaining a total of 355.5 ETH (approximately $640,000).
The Unibot team later responded by deploying a new router contract. They also announced a compensation plan for all victims in their official X account. Currently, all 355.5 ETH has been transferred to Tornado.Cash.
Telegram Bots
This attack is very similar to the previous Maestrobot incident. On October 25, CertiK Alert issued a warning on X platform, stating that the Telegram Bot project Maestro Bots router contract was attacked, resulting in a loss of approximately $500,000.
Telegram Bots are an emerging area in the Web3.0 world, allowing users to perform various DeFi operations through the Telegram interface while integrating tokens. However, distinguishing genuine innovation from confusing illusions has become increasingly complex.
The CertiK security team conducted research on 61 projects in the CoinGecko Telegram Bot token list and found that nearly 40% of the projects are suspected to be dormant, potentially fraudulent, or at risk of being unable to recover from significant sell-offs. While the trading mechanisms of these platforms are undoubtedly innovative, many lack crucial technical details, especially related to in-app wallet private key management. We advise users to exercise extra caution when operating on these platforms, minimize interaction with them, and avoid long-term asset storage.
Understanding Telegram Bots and Their Tokens
Telegram Bots are automated programs that run through the Telegram chat program. They can execute trades, provide market data to users, assess sentiment on social media, and interact with smart contracts through commands initiated via the Telegram interface. This type of bot has existed for many years, but in recent years, they have gained attention with the emergence of Telegram Bot tokens.
Telegram Bot tokens are native tokens integrated into Telegram Bots, mainly used for diverse trading functions such as executing DEX trades, managing investment portfolios across wallets, Yield Farming, and other feasible DeFi-related operations. These tokens essentially allow users to access the entire DeFi ecosystem solely through interaction with the Telegram interface. If these programs can maintain long-term security and normal operation, they could have a significant impact on the overall accessibility of DeFi.
After July 20 of this year, the popularity of these tokens has sharply risen, with some tokens even experiencing increases of over 1000%. This trend reflects the cyclical enthusiasm common in the Web3.0 community, driven by the narrative resonance of Web3.0 currency communities on X platform (formerly Twitter).
Especially after the emergence of Unibot, a large number of TBTs have emerged. As of August 3, 2023, CoinGecko's Bot Token section has listed 61 such systems.
Crossroads of Narrative Intersection
TBT (Telegram Bot Token) holds a unique position in the Web3.0 field. Enthusiasts of Web3.0 currency on X platform (formerly Twitter) often discuss them as practical tokens. Previously, the term "practical" has been associated with meta-narratives in the Web3.0 currency field, often involving stories of professional industries such as artificial intelligence, financial technology, logistics, and cross-border trade. TBT initially developed alongside the "practical" narrative, aiming to decentralize and improve trading activities through innovative user interfaces. However, TBT has actually transcended a single practical meta-narrative, finding resonance in various meme and non-meme narratives.
Meanwhile, as the TBT narrative developed, there was a periodic frenzy surrounding meme tokens related to mini-games, especially a project called "$HAMS." $HAMS was a short-lived meme token that allowed users to place bets on hamster race live streams. However, due to allegations of the operator repeatedly using hamster video clips, $HAMS quickly fizzled out after its launch. This gave rise to various other game-themed tokens, also referred to as TBT. One such token called "$TETRIS" allows users to gamble and participate in Tetris competitions between players. The connection between certain game-themed tokens was formed through widespread mentions on X platform.
Another example of the intersection of the TBT narrative involves PAAL AI. While not a dedicated meme, the project developed a Telegram chatbot similar to ChatGPT. The token and project structure are also similar to other TBT structures. Interestingly, the project does not seem to have created a Telegram chatbot but instead provides a web interface similar to ChatGPT. However, the chatbot can still be integrated into users' personal Telegram channels via API.
CoinGecko's TBT Classification
Shortly after Unibot's release, CoinGecko launched its detailed TBT list. The list was initially released around July 20 and included approximately 30 tokens. In just a few weeks, this number surged to 61. We analyzed this list using various methods, including price momentum, liquidity dynamics, and trading activity, and classified the projects based on whether they may be dead or still actively traded. The specific distribution as of August is shown in the bar chart below:
Among these 61 projects, we categorized 37 as active projects and 24 as dead or potentially dead projects. Nearly 40% of the projects in this category are either dead, with a decline of over 85% in value, minimal or no liquidity in their pools, and no activity, or are likely exit scams. In other words, nearly 40% of the projects in this category are dead or unlikely to recover.
It is worth mentioning that the wallet provided when registering a Telegram bot account is autogenerated, and the private key is provided later. Unibot did not specify the storage method or location of these private keys. This means that using these Telegram bots for trading and storing funds is extremely dangerous.
Projects Not Integrated with Telegram
During our research, we found some projects listed as TBT that either did not integrate their tokens into Telegram or did not have Telegram trading bots, but only regular Telegram community channels. Some projects have external DApps with similar functionality to Unibot, while the roadmaps of other projects indicate future integration with Telegram.
Other projects do not have these functionalities, but their presence on this list may indicate the cross-narrative we mentioned earlier. These projects may have self-identified as TBT-type projects when submitting applications to CoinGecko and indicated integration or future integration goals. We have seen how narrative hype can expand the presence of specific category tokens, with some tokens even existing in a "meme" manner, even if the project has no relevance to the category it has been assigned to. According to our analysis, the impact of this kind of narrative hype is significant and partly explains the divergence mentioned above.
In Conclusion
Whenever a new narrative becomes popular in the cryptocurrency community, numerous similar projects continue to be released under the same narrative, many of which are either exit scams or attempts to steal investors' assets, and TBT is no exception.
The development of TBT may be a unique innovation in the DeFi community. While the utility of such tokens is not yet clear, the emergence of similar platforms provides new ways for investors to aggregate data into trading strategies. However, users should exercise extreme caution with these platforms.
In the TBT space, projects exist in a meme-like manner, and their value could disappear overnight, requiring us to maintain a cautious and informed approach. Many projects cannot provide clear documentation to users and cannot explain the storage location and generation method of their wallet keys, thus posing significant unknown risks.
Users should refrain from using these platforms for storage. When linking external wallets to these platforms or interacting with websites generated by these projects, users should also proceed with caution.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
