! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01022556/cnjyy42la5bhy1fv!webp)
At 12:39:23 on October 31, 2023, Beijing time, **Unibot was maliously exploited and lost $640,000 in assets. **An attacker exploited an “arbitrary call” vulnerability in the Unibot router contract to transfer $640,000 worth of various tokens pre-authorized to the routing contract to their own name.
Let’s first take a look at the vulnerability analysis and attack process of this incident.
Vulnerability Analysis
! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01022621/tgok7idxkfx8z9bm!webp)
The function 0xb2bd16ab() does not properly check the input parameters, specifically g 0 and g 4, which are used to arbitrarily call the external token contract and execute the ‘transferFrom()’ method.
! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01022644/jel7r8e6ov2w3gxi!webp)
Attack process
The attack began at 12:39:23 Beijing time on the 31st and lasted until 14:09:47 on the 31st. During this time, the attacker executed 22 attack transactions, calling the “0x5456a7bf()” method on the attack contract, which repeatedly called the “0xb2bd16ab()” method in the Unibot router contract to transfer various tokens from the victim’s address to their own account.
! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01022752/a6t9jtf2v62t3cdh!webp)
In total, 42 tokens were transferred from 364 victim addresses through the router to the attackers, which the exploiters then sold for a total of 355.5 ETH (about $640,000). **
The Unibot team later responded by deploying a new router contract. In their official X account, they also announced a compensation plan for all victims. Currently, all 355.5 ETH has been transferred to Tornado.Cash.
Telegram bots
**This attack is very similar to the previous Maestrobot incident. **On October 25, CertiK issued a warning on Platform X that the Telegram bot project Maestro Bots router contract had been attacked, resulting in a loss of about $500,000.
Telegram bots are an emerging field in the Web 3.0 world that enables users to perform various DeFi operations through the Telegram interface while integrating tokens into it. However, the distinction between genuine innovation and confusing illusions is becoming increasingly complex.
The CertiK security team conducted a study of 61 items on CoinGecko’s list of Telegram bot tokens and found that nearly 40% of them were suspected to be dormant, potentially fraudulent, or at risk of not being able to recover from the sharp sell-off. The trading mechanisms of these platforms are undoubtedly innovative, but many lack key technical details, especially information about the management of private keys in in-app wallets. We recommend that users exercise extreme caution when operating on these platforms, minimize interaction with them, and avoid storing assets for long periods of time.
Learn about Telegram bots and their tokens
**Telegram bots are automated programs that run through Telegram chat programs. They can make transactions, provide market data to users, assess sentiment on social media, and interact with smart contracts through executed commands initiated by the Telegram interface. This type of bot has been around for years, but in recent years they have gained traction with the advent of the Telegram bot token.
The Telegram bot token is the native token integrated into the Telegram bot and is mainly used for diversified trading functions such as executing DEX transactions, managing portfolios across wallets, yield farming, and other possible operations related to DeFi. These tokens essentially allow users to connect to the entire DeFi simply by interacting with the Telegram interface. If these programs can remain secure and functioning properly for a long time, it could have a significant impact on the overall accessibility of DeFi. **
After July 20 of this year, the popularity of these tokens has risen dramatically, with some even rising by more than 1000%. This trend reflects the cyclical frenzy common in the Web3.0 community, driven by the narrative resonance of the Web3.0 monetary community on Platform X (formerly Twitter).
In particular, after Unibot came to prominence, a large number of TBTs emerged. As of August 3, 2023, CoinGecko’s bot token column has listed 61 such systems.
Traverse the crossroads of the narrative
TBT (Telegram Bot Token) occupies a unique position in the Web3.0 space. On Platform X (formerly Twitter), Web3.0 currency enthusiasts often discuss them as utility tokens. Previously, the term “utility” has been associated with meta-narratives in the Web 3.0 monetary space, often involving stories from specialized industries such as artificial intelligence, fintech, logistics, cross-border transactions, and more. TBT was originally developed along with a “utilitarian” narrative to decentralize and refine trading activities through an innovative user interface. However, TBT has gone beyond a single utility meta-narrative and found resonance in a variety of meme and non-meme narratives.
At the same time, as the TBT narrative evolved, a periodic hype around mini-game meme tokens emerged, especially with a project called “$HAMS”. $HAMS is a short-lived meme token that allows users to place bets on hamster match live streams. However, $HAMS died shortly after launch due to accusations by community members that the operator was reusing hamster video footage. This has given rise to various other gaming memorial tokens, also known as TBT. One of the tokens is called “$TETRIS”, where users can gamble and participate in Tetris races between players. The connection between certain game commemorative tokens was formed by being widely mentioned on the X platform.
! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01023011/4hyfzrordb1wtexu!webp)
Another example of a TBT narrative intersection involves PAAL AI. While this is not a dedicated meme, the project has developed a ChatGPT-like Telegram chatbot. The token and project structure is also similar to other TBT structures. Curiously, the project doesn’t seem to make a Telegram chatbot, but instead provides a ChatGPT-like web interface. However, the bot can be integrated into the user’s personal Telegram channel via API.
! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01023038/tic6p7bpbfnu24gf!webp)
CoinGecko’s TBT classification
Shortly after the release of Unibot, CoinGecko launched its detailed list of TBTs. The list was initially released around July 20 and contains about 30 tokens. In just a few weeks, that number swelled to 61. We analyzed the list using a variety of methods, including a combination of indicators such as price momentum, liquidity dynamics, and trading activity, and categorized them according to whether they are likely to die or whether they are still actively trading. The distribution as of August is shown in the bar chart below:
! [Unibot Attack Incident Analysis: After Maestrobot, Telegram Bot Project Has Been Exploited Again] (https://piccdn.0daily.com/202311/01023058/ratgyss6if20n83m!webp) Of these 61 projects, we classify 37 as active and 24 as deceased or possibly deceased. These projects are either down more than 85%, have little to no liquidity in their pools, and have no activity, or are likely to be exit scams. That is, nearly 40% of the items in this category have died or are unlikely to recover.
It is worth mentioning that the wallet provided when registering a Telegram bot account is automatically generated, while the private key is provided later. Unibot doesn’t say how or where these private keys are stored, locally or in the server’s background. This means that it is very dangerous to use these Telegram bots for trading and storing funds. **
Projects that do not integrate Telegram
In the course of our research, we found that some of the projects listed as TBT either did not integrate their tokens into Telegram or did not have a Telegram trading bot, but only a regular Telegram community channel. Some projects have external DApps with the same functionality as Unibot, while others have roadmaps that indicate that Telegram integration will be implemented in the future.
Other projects don’t have these features, but their presence on this list is perhaps indicative of the cross-narrative we mentioned earlier. These projects may self-advertise themselves as TBT-type projects when submitting their applications to CoinGecko and indicate the goal of integration or will be integrated in the future. We’ve seen how narrative hype can amplify specific categories of tokens, with some even existing as being “memeed”, even if the project doesn’t actually have anything to do with the class it’s assigned to. According to our analysis, the impact of this kind of narrative hype is so large that it can partly explain this divergence.
Write at the end
Whenever a new narrative becomes popular in the digital currency community, there will be a plethora of similar projects that continue to be released under the same narrative, many of which are either exit scams or attempting to steal investors’ assets, and TBT is no exception in this regard.
The development of TBT could be a unique innovation for the DeFi community. While the utility of these tokens is unclear, the emergence of similar platforms offers investors new ways to aggregate data into their trading strategies. However, users should be extra cautious with these platforms. **
In the TBT space, projects exist in the form of memes, and their value can disappear overnight, which requires us to be cautious and informed. Many projects don’t provide users with clear documentation of where and how their wallet keys are stored, so there’s a huge risk of unknowns.
Users should not consider using these platforms for storage. Users should also exercise caution when linking external wallets to these platforms, or interacting with websites generated by these items.
