Full Report
BananaGun is a telegram trading bot for Ethereum and Solana. From reading the documentation, the bot can be configured by the user to perform various actions automatically or directly from the app. This means, that in some capacity, the bot must have access to users private keys. The analysis makes it pretty clear where the vulnerability was at. Only users with a public presence were affected by this issue. Hence, the bot itself had been manipulated somehow. According to the write-up, the oracle for the Telegram bot had been tricked. There are no details on what went wrong in the oracle but it was probably something like missing contract address checks. At the end of the day, $3M was stolen from 11 users of the platform using this vulnerability. Afterwards, BananaGun added 2FA, transfer delays and security reviews, all things that should have been done before the hack. I find web3 off-chain infrastructure interesting, so this bug tickled my fancy on that end. I wish w had more details on the actual oracle vuln though.
Analysis Summary
# Incident Report: Banana Gun Telegram Bot Oracle Manipulation
## Executive Summary
On September 19, 2024, the Banana Gun Telegram trading bot experienced a targeted exploit resulting in the theft of approximately $3 million from 11 high-profile users. The attacker leveraged a novel vulnerability in the bot's Telegram message oracle to gain unauthorized access to user funds on both the Ethereum and Solana networks. Following the incident, the organization halted bot operations, implemented enhanced security features (2FA and transfer delays), and committed to fully reimbursing victims.
## Incident Details
- **Discovery Date:** September 19, 2024
- **Incident Date:** September 19, 2024
- **Affected Organization:** Banana Gun
- **Sector:** Decentralized Finance (DeFi) / Automated Trading
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** September 19, 2024
- **Vector:** Exploitation of a "message oracle" vulnerability.
- **Details:** The attacker manipulated the Telegram oracle used by the bot. While full technical details remain undisclosed, the exploit allowed the attacker to bypass standard authorization to trigger manual transfers.
### Lateral Movement
- **Details:** The attack did not involve traditional network lateral movement; instead, it involved cross-chain execution, affecting user wallets on both Ethereum and Solana simultaneously.
### Data Exfiltration/Impact
- **Details:** The attacker targeted 11 specific "smart money" traders or users with significant social presence. Approximately $3 million in ETH and SOL were manually transferred from user-controlled wallets connected to the bot to attacker-controlled addresses.
### Detection & Response
- **Discovery:** First detected by community members and independent security researchers (e.g., Yannick Crypto) noticing unauthorized outflows.
- **Response Actions:** Banana Gun developers shut down the Ethereum and Solana bot services to prevent further drainage. An immediate investigation into the oracle vulnerability was launched.
## Attack Methodology
- **Initial Access:** Manipulation of the Telegram message oracle.
- **Persistence:** Not applicable; the attack was a surgical "smash and grab" using the bot's existing permissions.
- **Privilege Escalation:** Tricking the bot’s backend into treating attacker commands as authorized user instructions.
- **Defense Evasion:** Targeted individuals instead of a mass drain, likely to avoid triggering broad automated alarms immediately.
- **Credential Access:** The bot requires access to private keys to function; the oracle vulnerability bypassed the need for the attacker to steal the keys directly by commanding the bot to move the funds those keys protected.
- **Impact:** Manual transfer of assets.
## Impact Assessment
- **Financial:** ~$3,000,000 USD stolen.
- **Data Breach:** Compromise of internal transaction logic and oracle integrity.
- **Operational:** Temporary shutdown of both Ethereum and Solana trading bots.
- **Reputational:** Significant loss of trust among "smart money" traders and the broader DeFi community.
## Indicators of Compromise
- **Behavioral indicators:**
- Unauthorized manual ETH/SOL transfers originating from valid bot-connected wallets.
- Specifically targeted movement of funds from "known" or high-volume social media figures in the crypto space.
## Response Actions
- **Containment:** Emergency shutdown of the Telegram bot's backend for all chains.
- **Eradication:** Identification and patching of the message oracle vulnerability.
- **Recovery:** Implementation of mandatory Two-Factor Authentication (2FA) for transfers, enforced transfer delays, and a promise of full refunds from the project treasury.
## Lessons Learned
- **Key Takeaways:** Off-chain infrastructure (Telegram oracles) is a critical single point of failure for "non-custodial" bots that have access to private keys.
- **Shortcomings:** The absence of basic security hurdles like 2FA or time-locks on transfers allowed the attacker to drain funds instantly once the oracle was tricked.
## Recommendations
- **Oracle Integrity:** Implement strict contract address checks and message validation for all off-chain oracles.
- **Defense in Depth:** Mandatory 2FA and multi-signature requirements for large or unusual transfers.
- **User Privacy:** Encourage users to avoid linking their public social identities to high-value trading bot wallets to reduce "target profiling."
- **Security Audits:** Conduct regular third-party reviews of off-chain infrastructure, not just on-chain smart contracts.