Ribbon Finance Sybil Attack
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Ribbon Finance offered airdrop incentives, which were exploited through a Sybil attack to take a much larger reward than intended. The exploiter had a reputation to maintain and returned the funds without incident.
This is a global/international case not involving a specific country. [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19]
About Ribbon Finance
"SUSTAINABLE ALPHA FOR EVERYONE" "Earn yield on your cryptoassets with DeFi's first structured products protocol." "Ribbon Finance is a new protocol that helps users access crypto structured products for DeFi. It combines options, futures, and fixed income to improve a portfolio's risk-return profile."
"Theta Vault, which is a yield-focused strategy on ETH and WBTC. The vault earns yield on its deposits by running a weekly automated options selling strategy. The vault reinvests the yield earned back into the strategy, effectively compounding the yields for depositors over time."
"Ribbon's v1 and v2 Theta Vault contracts are audited. Despite the audits and security measures we have taken, we advice users to exercise caution and to not risk funds they are not willing to lose." Audits were found provided by Quantstamp, ChainSafe (2 audits), Peckshield, and OpenZeppelin. "We have an ongoing bug bounty on ImmuneFi, with up to $50,000 of bounty. The contracts that are included in the bounty are ETH and WBTC Theta Vaults."
"On Friday, Oct. 8, DeFi users used Etherscan to discover that a researcher for VC firm Divergence Ventures was receiving hundreds of ETH from wallets selling recently airdropped RBN tokens. The researcher allegedly used dozens of wallets to fulfill bare-minimum parameters to claim $2.5M in RBN tokens, an exploit known as a sybil attack on the distribution. Divergence later acknowledged the sybil attack in which it said it “crossed a line” and said it would be “better contributors to the community going forward.” Divergence also returned Ξ705 ($2.5M) to the Ribbon treasury."
"The episode presents the largely unregulated, permissionless DeFi community with yet another chance to debate the nature of fair play in an increasingly powerful, $200 billion ecosystem where the only governance is on-chain rules and some modicum of common sense."
"[T]his @divdotvc analyst @_bridgeharris has made 652 $ETH and counting from @ribbonfinance airdrops, quite impressive. finding wallets like their's and copytrading them is probably the best way to make it tbh"
"Gabagool told CoinDesk that he spotted the exploit as a result of his day-to-day research. He’d bought Ribbon tokens pre-launch from a friend and was doing due diligence after adding to his position on Friday."
“Today I bought Ribbon in size, so I was looking at the Uniswap v3 pool, checking out some of the wallets buying and selling Ribbon,” he told CoinDesk. “I was curious, primarily to find out what people were doing with their airdrops.”
"He said that he noticed a 17 ETH sale by “happenstance,” a sale whose proceeds were subsequently sent to another wallet. The new wallet, he noted, was funded with ETH that “all came from wallets that had received a Ribbon airdrop and sold a Ribbon airdrop.”"
"The parent wallet also linked to a wallet containing bridget.eth – an Ethereum name service domain that identified the owner as a Divergence Ventures researcher."
“Crypto people are very good at [operations security], but ENS is a weak point,” he cautioned.
"Initially Gabagool reached out to Divergence Ventures’ Calvin Liu to compliment his firm on the windfall, but another friend tipped him off that Divergence was actually an investor in Ribbon – a sign that it may have been acting on insider information."
“That’s when I sent my tweet, because I said, ‘That’s interesting, a fund that’s invested in this protocol has a rogue analyst or is doing something people won’t like,’ based off what I know about crypto.’”
"Divergence has since published a tweet thread acknowledging the sybil attack in which it said it “crossed a line” and said it would be “better contributors to the community going forward.”"
"Divergence also sent the ETH back to the project’s treasury, and the Ribbon community is now debating what to do with the funds."
"The Divergence team is (physically) getting to the other wallets in the next few hours and will send the remaining RBN to the DAO, totaling 100% of the RBN farmed from the protocol."
"A Ribbon Finance representative declined to comment. Divergence Ventures did not respond to a request for comment by press time."
“There are rules we enforce socially, and this is an important example of that playing out,” Gabagool said. “Divergence responded in a few hours and returned 705 ETH because an anon with a ‘Sopranos’ joke as a name tweeted an analysis? That is the opposite of ‘code is law.’ That’s community law, and I don’t think that’s a bad thing. We’re making up the rules as we go along.”
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| October 8th, 2021 12:00:00 AM | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Total Amount Lost
The total amount lost has been estimated at $2,500,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Prevention Policies
Which policies could have prevented this event from happening?
References
- ↑ Airdrop Ethics: VC Firm Draws Ire Following $2.5M Ribbon Finance Exploit (Oct 11, 2021)
- ↑ Ribbon Finance: Crypto structured products on Ethereum (Oct 13, 2021)
- ↑ Ribbon Finance (RBN) price today, chart, market cap & news | CoinGecko (Oct 13, 2021)
- ↑ @gabagooldoteth Twitter (Oct 13, 2021)
- ↑ @divdotvc Twitter (Oct 13, 2021)
- ↑ Introduction to Ribbon - Ribbon Finance (Dec 5, 2021)
- ↑ Security - Ribbon Finance (Dec 5, 2021)
- ↑ audit/PeckShield-Audit-Report-Ribbon-v1.0.pdf at master · ribbon-finance/audit · GitHub (Dec 5, 2021)
- ↑ audits/Ribbon-Audit_April-2021.pdf at main · ChainSafe/audits · GitHub (Dec 5, 2021)
- ↑ audit/Quantstamp Theta Vault.pdf at master · ribbon-finance/audit · GitHub (Dec 5, 2021)
- ↑ audit/RibbonThetaVault V2 Smart Contract Review And Verification.pdf at master · ribbon-finance/audit · GitHub (Dec 5, 2021)
- ↑ Ribbon Finance Audit - OpenZeppelin blog (Dec 5, 2021)
- ↑ @ribbonfinance Twitter (Dec 5, 2021)
- ↑ @juliankoh Twitter (Dec 5, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 5, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 5, 2021)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 5, 2021)
- ↑ Ribbon Finance Crypto Explained (Automated Options Trading on the Blockchain) - YouTube (Mar 20, 2022)
- ↑ https://www.cypherhunter.com/en/p/ribbon-finance/ (Mar 20, 2022)