Key Points
- Banana Gun, a popular Telegram-based crypto trading bot, experienced a $3 million hack affecting 11 users due to a vulnerability in its Telegram message oracle.
- The company has committed to fully refunding all affected users from its treasury without selling any tokens, demonstrating its commitment to user trust and security.
Hack Details and Targeted Victims
On September 19, 2024, Banana Gun, a widely-used cryptocurrency trading bot operating via Telegram, fell victim to a sophisticated hack. The attack resulted in unauthorized transfers from users’ crypto wallets, forcing the company to temporarily disable its Ethereum Virtual Machine (EVM) and Solana bots to prevent further losses.
Unlike typical crypto scams that often target inexperienced investors, this attack specifically focused on seasoned traders and crypto veterans. The victims, known for their social presence or trading expertise, witnessed the attacker manually transferring Ethereum (ETH) from their wallets while they were actively using the bot and receiving notifications.
Attack Analysis and Vulnerability
Initial reports suggested that 36 users had lost nearly $2 million worth of ETH. However, Banana Gun’s post-mortem investigation revealed that the actual impact was more concentrated but costlier, with 11 users losing a total of $3 million.
The company’s development team, along with external experts, identified a potential vulnerability in the Telegram message oracle used by the bot. This weakness is believed to have enabled the exploit, as evidenced by:
- The manual nature of the transfers rather than a scripted drain
- Victims receiving in-bot notifications of the unauthorized transfers
Banana Gun’s Response and Security Measures
In response to the incident, Banana Gun has taken several steps to address the situation and prevent future occurrences:
- Full Refunds: The company has committed to fully refunding all affected users from its treasury, without selling any tokens to cover the losses.
- Enhanced Security:
- Implemented a 2-hour transfer delay
- Planning to add two-factor authentication (2FA) for transfers
- Conducted a thorough review of both back-end and front-end systems
- Redeployed the back-end and switched to new servers
- External Collaboration: Banana Gun has partnered with Security Alliance, a leading web3 security team, for investigation and future pentesting.
- Transparency: The company has provided a detailed recap of the incident, demonstrating its commitment to open communication with its user base.
Moving Forward
Despite the setback, Banana Gun reports that bot activity has remained high, which they interpret as a sign of continued user trust. The company’s EVM and Solana bots are now back online with the new security measures in place.
As the crypto industry continues to grapple with security challenges, this incident serves as a reminder of the importance of robust security measures, even for platforms catering to experienced traders. It also highlights the growing sophistication of attackers who are now targeting “smart money” in the crypto space.
