Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

BananaGun is a telegram trading bot for Ethereum and Solana. From reading the documentation, the bot can be configured by the user to perform various actions automatically or directly from the app. This means, that in some capacity, the bot must have access to users private keys.

The analysis makes it pretty clear where the vulnerability was at. Only users with a public presence were affected by this issue. Hence, the bot itself had been manipulated somehow. According to the write-up, the oracle for the Telegram bot had been tricked. There are no details on what went wrong in the oracle but it was probably something like missing contract address checks.

At the end of the day, $3M was stolen from 11 users of the platform using this vulnerability. Afterwards, BananaGun added 2FA, transfer delays and security reviews, all things that should have been done before the hack. I find web3 off-chain infrastructure interesting, so this bug tickled my fancy on that end. I wish w had more details on the actual oracle vuln though.