Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-38482a25a6-dd1a6f-cd5cc0.webp)

At 12:39:23 on October 31, 2023, Beijing time, Unibot was maliciously exploited and lost $640,000 in assets. The attacker exploited the “arbitrary call” vulnerability in the Unibot router contract to transfer various tokens worth $640,000 pre-authorized to the routing contract to their own name.

Let’s first take a look at the vulnerability analysis and attack process of this incident.

Vulnerability Analysis

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-f3b6dc1c2f-dd1a6f-cd5cc0.webp)

The function 0xb2bd16ab() does not properly check the input parameters, specifically g0 and g4, which are used to arbitrarily call the external token contract and execute the ‘transferFrom()’ method.

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-5d817a19ef-dd1a6f-cd5cc0.webp)

Attack Process

The attack began at 12:39:23 Beijing time on the 31st and lasted until 14:09:47 on the 31st. During this time, the attacker executed 22 attack transactions, calling the “0x5456a7bf()” method on the attack contract, which repeatedly called the “0xb2bd16ab()” method in the Unibot router contract to transfer various tokens from the victim’s address to their own account.

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-87f369b5c6-dd1a6f-cd5cc0.webp)

In total, 42 tokens were transferred from 364 victim addresses through the router to the attackers, which the exploiters then sold for a total of 355.5 ETH (about $640,000).

The Unibot team later responded by deploying a new router contract. In their official X account, they also announced a compensation plan for all victims. All 355.5 ETH has been transferred to Tornado.Cash.

Telegram Boo

This attack is very similar to the previous Maestrobot incident. On October 25, CertiK issued a warning on the X platform that the Maestro Bots router contract of the Telegram bot project was attacked, resulting in a loss of about $500,000.

Telegram bots are an emerging field in the Web 3.0 world, which allows users to perform various DeFi operations through the Telegram interface while integrating tokens into it. However, the distinction between genuine innovation and confusing illusions is becoming increasingly complex.

The CertiK security team conducted a study of 61 projects on CoinGecko’s list of Telegram bot tokens and found that nearly 40% of the projects were suspected to be dormant, potentially fraudulent, or at risk of not recovering from a large sell-off. The trading mechanisms of these platforms are undoubtedly innovative, but many lack key technical details, especially information about the management of private keys in in-app wallets. We recommend that users exercise extreme caution when operating on these platforms, minimize interaction with them, and avoid storing assets for long periods of time.

Learn about Telegram bots and their tokens

Telegram bots are automated programs that run through Telegram chat programs. They can make transactions, provide market data to users, assess sentiment on social media, and interact with smart contracts through executed commands initiated by the Telegram interface. This type of bot has been around for years, but in recent years they have gained traction with the advent of Telegram bot tokens.

The Telegram bot token is the native token integrated into the Telegram bot and is mainly used for diversified trading functions such as executing DEX transactions, managing portfolios across wallets, yield farming, and other possible operations related to DeFi. These tokens essentially allow users to connect to the entire DeFi simply by interacting with the Telegram interface. If these programs can remain secure and up properly for a long time, it could have a significant impact on the overall accessibility of DeFi. **

After July 20 of this year, the popularity of these tokens has risen dramatically, with some even increasing by more than 1,000%. This trend reflects the cyclical frenzy common in the Web 3.0 community, driven by the narrative resonance of the Web 3.0 money community on Platform X (formerly Twitter).

Especially after Unibot came to prominence, a large number of TBTs emerged. As of August 3, 2023, CoinGecko’s bot token column has listed 61 such systems.

Crossing the Intersection of Narratives

TBT (Telegram Bot Token) occupies a unique position in the Web 3.0 space. On Platform X (formerly Twitter), Web 3.0 currency enthusiasts often discuss them as utility tokens. Previously, the term “utility” has been associated with meta-narratives in the Web 3.0 monetary space, often involving stories of specialized industries such as artificial intelligence, fintech, logistics, cross-border transactions, etc. TBT was originally developed along with a “utilitarian” narrative to decentralize and refine trading activities through an innovative user interface. However, TBT has actually gone beyond a single utility meta-narrative and found resonance in a variety of meme and non-meme narratives.

At the same time, as the TBT narrative evolved, there was a cyclical hype around mini-game meme tokens, especially a project called “$HAMS”. $HAMS is a short-lived meme token that allows users to place bets on live hamster matches. However, the $HAMS died shortly after the launch due to accusations by community members that the operator was reusing hamster video footage. This has given rise to various other gaming commemorative tokens, also known as TBT. One of the tokens is called “$TETRIS”, where users can gamble and participate in Tetris races between players. The connection between certain game memorial tokens was formed through being widely mentioned on the X platform.

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-f019dd97a4-dd1a6f-cd5cc0.webp)

Another example of TBT narrative intersection involves PAAL AI. While this is not a dedicated meme, the project has developed a ChatGPT-like Telegram chatbot. The token and project structure is also similar to other TBT structures. Curiously, the project doesn’t seem to make a Telegram chatbot, but instead provides a ChatGPT-like web interface. However, the bot can be integrated into the user’s personal Telegram channel via API.

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-432b45f09c-dd1a6f-cd5cc0.webp)

CoinGecko’s TBT Classification

Shortly after the release of Unibot, CoinGecko launched its detailed list of TBTs. The list was initially released around July 20 and contains about 30 tokens. In just a few weeks, that number swelled to 61. We have analysed this list using a variety of methods, including a combination of indicators such as price momentum, liquidity dynamics, and trading activity, and categorized them according to whether they are likely to die or whether they are still actively trading. As of August, the distribution is shown in the bar chart below:

! [Telegram Bot Project Exploited Again: Analysis of Unibot Attack Incidents] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-8548a397bf-dd1a6f-cd5cc0.webp)

Of these 61 projects, we classify 37 as active and 24 as deceased or possibly deceased. These projects are either down more than 85%, have little to no liquidity in their pools, and have no activity, or are likely to be exit scams. That is, nearly 40% of the items in this category have died or are unlikely to recover.

It is worth mentioning that the wallet provided when registering a Telegram bot account is automatically generated, while the private key is provided later. Unibot does not specify how or where these private keys are stored, either locally or in the server’s background. This means that it is very dangerous to use these Telegram bots for trading and storing funds. **

Projects without Telegram integration

In the course of our research, we found that some of the projects listed as TBT either did not integrate their tokens into Telegram or did not have a Telegram trading bot, but only a regular Telegram community channel. Some projects have external DApps with the same functionality as Unibot, while others have roadmaps that indicate that Telegram integration will be implemented in the future.

Other projects don’t have these features, but their presence on this list is perhaps indicative of the cross-narrative we mentioned earlier. **These projects may self-advertise as TBT-type projects when submitting their applications to CoinGecko and indicate the goal of integration or will be integrated in the future. We’ve seen how narrative hype can amplify specific categories of tokens, with some even existing as being “memeed”, even if the project doesn’t actually have anything to do with the class it’s assigned to. According to our analysis, the impact of this kind of narrative hype is so large that it can partly explain this divergence.

Write at the end

Whenever a new narrative becomes popular in the digital currency community, there will be a large number of similar projects that continue to be released under the same narrative, many of which are either exit scams or attempts to steal investors’ assets, and TBT is no exception in this regard.

The development of TBT could be a unique innovation for the DeFi community. While the utility of these tokens is unclear, the emergence of similar platforms offers investors new ways to aggregate data into their trading strategies. However, users should be extra cautious with these platforms. **

In the TBT field, projects exist in the form of memes, and their value can disappear overnight, which requires us to maintain a cautious and informed attitude of participation. Many projects don’t provide users with clear documentation of where and how their wallet keys are stored, so there’s a huge risk of unknowns.

Users should not consider using these platforms for storage. Users should also exercise caution when linking external wallets to these platforms, or interacting with websites generated by these items.