Ribbon Finance Sybil Attack: Difference between revisions
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
[[File:Ribbonfinance.jpg|thumb|Ribbon Finance]]Ribbon Finance offered airdrop incentives, which were exploited through a Sybil attack to take a much larger reward than intended. The exploiter had a reputation to maintain and returned the funds without incident. | [[File:Ribbonfinance.jpg|thumb|Ribbon Finance]]Ribbon Finance offered airdrop incentives, which were exploited through a Sybil attack to take a much larger reward than intended. The exploiter had a reputation to maintain and returned the funds without incident. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="coindesk-4138" /><ref name="ribbonfinancewebsite-4139" /><ref name="coingecko-4140" /><ref name="gabagooldotethtwitter-4141" /><ref name="divdotvctwitter-4142" /><ref name="ribbonfinancedocs-4143" /><ref name="ribbonfinancesecurity-4144" /><ref name="ribbonfinancepeckshieldaudit-4145" /><ref name="ribbonfinancechainsafeaudit-4146" /><ref name="ribbonfinancequantstampaudit-4147" /><ref name="ribbonfinancethetaaudit-4148" /><ref name="ribbonfinanceopenzeppelin-4149" /><ref name="ribbonfinancetwitter-4150" /><ref name="juliankohtwitter-4151" /><ref name="etherscan-4152" /><ref name="etherscan-4153" /><ref name="etherscan-4154" /><ref name="youtube-7323" /><ref name="cypherhunter-7324" /> | ||
<ref name="coindesk-4138" /><ref name="ribbonfinancewebsite-4139" /><ref name="coingecko-4140" /><ref name="gabagooldotethtwitter-4141" /><ref name="divdotvctwitter-4142" /><ref name="ribbonfinancedocs-4143" /><ref name="ribbonfinancesecurity-4144" /><ref name="ribbonfinancepeckshieldaudit-4145" /><ref name="ribbonfinancechainsafeaudit-4146" /><ref name="ribbonfinancequantstampaudit-4147" /><ref name="ribbonfinancethetaaudit-4148" /><ref name="ribbonfinanceopenzeppelin-4149" /><ref name="ribbonfinancetwitter-4150" /><ref name="juliankohtwitter-4151" /><ref name="etherscan-4152" /><ref name="etherscan-4153" /><ref name="etherscan-4154" /><ref name="youtube-7323" /><ref name="cypherhunter-7324" /> | |||
== About Ribbon Finance == | == About Ribbon Finance == | ||
| Line 79: | Line 78: | ||
!Description | !Description | ||
|- | |- | ||
|October 8th, 2021 | |October 8th, 2021 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 87: | Line 86: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 106: | Line 108: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
Latest revision as of 12:04, 4 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Ribbon Finance offered airdrop incentives, which were exploited through a Sybil attack to take a much larger reward than intended. The exploiter had a reputation to maintain and returned the funds without incident.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]
About Ribbon Finance
"SUSTAINABLE ALPHA FOR EVERYONE" "Earn yield on your cryptoassets with DeFi's first structured products protocol." "Ribbon Finance is a new protocol that helps users access crypto structured products for DeFi. It combines options, futures, and fixed income to improve a portfolio's risk-return profile."
"Theta Vault, which is a yield-focused strategy on ETH and WBTC. The vault earns yield on its deposits by running a weekly automated options selling strategy. The vault reinvests the yield earned back into the strategy, effectively compounding the yields for depositors over time."
"Ribbon's v1 and v2 Theta Vault contracts are audited. Despite the audits and security measures we have taken, we advice users to exercise caution and to not risk funds they are not willing to lose." Audits were found provided by Quantstamp, ChainSafe (2 audits), Peckshield, and OpenZeppelin. "We have an ongoing bug bounty on ImmuneFi, with up to $50,000 of bounty. The contracts that are included in the bounty are ETH and WBTC Theta Vaults."
"On Friday, Oct. 8, DeFi users used Etherscan to discover that a researcher for VC firm Divergence Ventures was receiving hundreds of ETH from wallets selling recently airdropped RBN tokens. The researcher allegedly used dozens of wallets to fulfill bare-minimum parameters to claim $2.5M in RBN tokens, an exploit known as a sybil attack on the distribution. Divergence later acknowledged the sybil attack in which it said it “crossed a line” and said it would be “better contributors to the community going forward.” Divergence also returned Ξ705 ($2.5M) to the Ribbon treasury."
"The episode presents the largely unregulated, permissionless DeFi community with yet another chance to debate the nature of fair play in an increasingly powerful, $200 billion ecosystem where the only governance is on-chain rules and some modicum of common sense."
"[T]his @divdotvc analyst @_bridgeharris has made 652 $ETH and counting from @ribbonfinance airdrops, quite impressive. finding wallets like their's and copytrading them is probably the best way to make it tbh"
"Gabagool told CoinDesk that he spotted the exploit as a result of his day-to-day research. He’d bought Ribbon tokens pre-launch from a friend and was doing due diligence after adding to his position on Friday."
“Today I bought Ribbon in size, so I was looking at the Uniswap v3 pool, checking out some of the wallets buying and selling Ribbon,” he told CoinDesk. “I was curious, primarily to find out what people were doing with their airdrops.”
"He said that he noticed a 17 ETH sale by “happenstance,” a sale whose proceeds were subsequently sent to another wallet. The new wallet, he noted, was funded with ETH that “all came from wallets that had received a Ribbon airdrop and sold a Ribbon airdrop.”"
"The parent wallet also linked to a wallet containing bridget.eth – an Ethereum name service domain that identified the owner as a Divergence Ventures researcher."
“Crypto people are very good at [operations security], but ENS is a weak point,” he cautioned.
"Initially Gabagool reached out to Divergence Ventures’ Calvin Liu to compliment his firm on the windfall, but another friend tipped him off that Divergence was actually an investor in Ribbon – a sign that it may have been acting on insider information."
“That’s when I sent my tweet, because I said, ‘That’s interesting, a fund that’s invested in this protocol has a rogue analyst or is doing something people won’t like,’ based off what I know about crypto.’”
"Divergence has since published a tweet thread acknowledging the sybil attack in which it said it “crossed a line” and said it would be “better contributors to the community going forward.”"
"Divergence also sent the ETH back to the project’s treasury, and the Ribbon community is now debating what to do with the funds."
"The Divergence team is (physically) getting to the other wallets in the next few hours and will send the remaining RBN to the DAO, totaling 100% of the RBN farmed from the protocol."
"A Ribbon Finance representative declined to comment. Divergence Ventures did not respond to a request for comment by press time."
“There are rules we enforce socially, and this is an important example of that playing out,” Gabagool said. “Divergence responded in a few hours and returned 705 ETH because an anon with a ‘Sopranos’ joke as a name tweeted an analysis? That is the opposite of ‘code is law.’ That’s community law, and I don’t think that’s a bad thing. We’re making up the rules as we go along.”
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| October 8th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $2,500,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Airdrop Ethics: VC Firm Draws Ire Following $2.5M Ribbon Finance Exploit (Oct 11, 2021)
- ↑ Ribbon Finance: Crypto structured products on Ethereum (Oct 13, 2021)
- ↑ Ribbon Finance (RBN) price today, chart, market cap & news | CoinGecko (Oct 13, 2021)
- ↑ @gabagooldoteth Twitter (Oct 13, 2021)
- ↑ @divdotvc Twitter (Oct 13, 2021)
- ↑ Introduction to Ribbon - Ribbon Finance (Dec 5, 2021)
- ↑ Security - Ribbon Finance (Dec 5, 2021)
- ↑ audit/PeckShield-Audit-Report-Ribbon-v1.0.pdf at master · ribbon-finance/audit · GitHub (Dec 5, 2021)
- ↑ audits/Ribbon-Audit_April-2021.pdf at main · ChainSafe/audits · GitHub (Dec 5, 2021)
- ↑ audit/Quantstamp Theta Vault.pdf at master · ribbon-finance/audit · GitHub (Dec 5, 2021)
- ↑ audit/RibbonThetaVault V2 Smart Contract Review And Verification.pdf at master · ribbon-finance/audit · GitHub (Dec 5, 2021)
- ↑ Ribbon Finance Audit - OpenZeppelin blog (Dec 5, 2021)
- ↑ @ribbonfinance Twitter (Dec 5, 2021)
- ↑ @juliankoh Twitter (Dec 5, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 5, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 5, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 5, 2021)
- ↑ Ribbon Finance Crypto Explained (Automated Options Trading on the Blockchain) - YouTube (Mar 20, 2022)
- ↑ https://www.cypherhunter.com/en/p/ribbon-finance/ (Mar 20, 2022)