Decoding How The Banana Gun Went Bananas: $3M Exploit

On September 19, 2024, an exploit in the Banana Gun trading bot resulted in $3 million being siphoned from 11 users, most of whom were experienced traders.

The attackers exploited a vulnerability in the Telegram message oracle, allowing them to manually transfer ETH from victims' wallets while they were using the bot.

It was patched later on & all affected users are fully reimbursed from the Banana Gun treasury, with no tokens sold to fund these repayments.

For those unfamiliar, Banana Gun is a popular Telegram-based crypto trading bot that automates trades on EVM and Solana blockchains.

These bots are designed for efficiency, helping traders execute profitable trades seamlessly. With a growing reputation among crypto veterans, Banana Gun’s bots were trusted for their speed and reliability—until this exploit threw a wrench in the gears.

The exploit wasn’t a typical, automated smart contract drain.

Here’s how it unfolded:

1. Targeting High-Value Users:

   The attacker was laser-focused on seasoned traders, folks who know their way around crypto. These were people with notable social presence or trading expertise.

2. Manual Transfers:

   The attackers exploited a flaw in the Telegram message oracle, manually transferring ETH from wallets while the victims were using the bot. Essentally, the victims witnessed their funds being drained in real time.

3. No Scripted Draining:

   This wasn’t a typical automated bot attack; it required manual involvement, hinting at a more targeted and precise exploit.

4. Impact on Both EVM and Solana Bots:

   The attack affected both the EVM and Solana bots, though they operate on different codebases, showing the vulnerability was within a shared component, the Telegram oracle.

Our investigation uncovered a vulnerability in the Telegram message oracle used by the Banana Gun bot. This flaw allowed the attacker to intercept messages and gain unauthorized access to user wallets. Once the attacker had access, they could initiate manual transfers while the bot was still in use by victims.

In simpler terms: the bot’s security hole allowed the attacker to manipulate user wallets during live trading sessions, manually sending ETH to their own addresses while the victims were interacting with the bot.

After the attack, funds were distributed across multiple wallet addresses controlled by the attacker. 

Here's the list of attacker wallets (11):

• 0xBe31Fd089De178be74E12e49360a5Fa6E3867BDB
• 0x25B7580CECCDcCB04e86FD616fcA732EE0aeBc25
• 0x4293652e71023D48fbE2C6122b55780FAA940980
• 0x0939F5ba7A3d210dd2694d7ee72Cf78959154820
• 0xa999171a1432c18ce403365acC2AdFA5c2Ec6091
• 0x4FdDC26aC7230d5104b5F87f4751F76d3aBea1Ec
• 0xfCb81E26C447426f7903bCC211c6D082D0a26024
• 0x85E6214067115C9283Ad90d174BB6C3CA4fc3D76
• 0xa60740ee7C08E2162c0FE0e1039E7c9a5Ec28eA3
• 0x5f9D7770A66F1D97e8844F834599F4604643e1A2
• 0x3a8CdaE3F66bE07ae69175224E4282f9622D5d40

Here are some of the victim wallets (45):

• 0x630780B5486d6ed01751828FB50ede89D48fEe36
• 0x65e9031AA186F6AeC29115cA1382a11341840C64
• 0x25BC52478dDA8cE43CD010B6A193Db826c67dcec
• 0x62cb0D083A71954A63810F035702b08E5E459F5e
• 0x9F5507Df471173e0dE6721cCdf77aD4A03757073
• 0xD16aE010B09969DB4b36A6c7683C5b9Bf7196ae4
• 0x07a53864Fb615CDB5786aBD58F12024fb4614197
• 0xBC9c380b5A95877ec36Ef885AF08515136078ABB
• 0x55Af37310aD7a06B2FE547a97BdE4dfbc600E276
• 0x0b83122d7835F7a5590Ecf5200bFb3A0E7Ca8963
• 0x5F3785A33640e6F4934B15d1173eF7F5d9320aea
• 0xa3De30F91fFD37E674C90Dae46D50dA496f31b0c
• 0x5f14900d5Ea22CE6dC9eA9dDe1f1bDf3b787DcA4
• 0x578DF23B1af159D6d4b447062141d56285Ec93b2
• 0x8C4F948009f597c790c9fFBDC98bd09a9980ACbc
• 0xeE570ad1555943b4a9Aa138c9dAC3AeFB57114c0
• 0xA8554C187E27705bC18D11141804c8228d191faC
• 0xa12344808143aC7AFC9685d7945aB101933946d3
• 0x0f8C890C0C553efDBdFcFccf0a6C4C143b6466f6
• 0x3a8CdaE3F66bE07ae69175224E4282f9622D5d40
• 0x14ee3A0a982981259215c02d203fe1533F638E74
• 0xa60740ee7C08E2162c0FE0e1039E7c9a5Ec28eA3
• 0x40B5bD243f467EaC60710Afe58a00907101731F3
• 0xFa0Ff6264E9f12f6aaEfA483B42260beAdDd4f74
• 0x4B2A2F8B0dD9a1b563f825EcA688d64A2012Ac84
• 0xCA5B54c1A91B5ECb6bE8A2fDb27C05C74Ab15667
• 0x067c677Cbbfb46Ab9013cF3B619bA223A33B99dD
• 0x92804FE586B119A86507DA1340A496Dae2A5B38C
• 0xA8260aA3cEBf3BBAB4B3aAC0043c845B777ed1bB
• 0xEFA9268490BB76D6b17793905473feFc03b5C824
• 0x14381caa24E88f0E1e31f28c6B1F1Fc586F8677b
• 0xc038790dAe59bEB6BCca0f8Eb1464b4fc97E039E
• 0x13FD658A4Ec49466bAc900078f8F696d27e1BFF0
• 0xe8d75040b71cc038079A9D62028FD58480bB9A1C
• 0xbFe1c29AdB36F5C8b53D4B0898ff2c043E33E275
• 0xE8d9AB824880E277c837d4b1E2EF8bd51d9427CF
• 0x3A1ecFd15f88F32Fd9d04EdF9A068E3F8f868620
• 0x60F4946B5A1d7249DEa82bE62937AB36E1fd68B6
• 0xA09B5a000bE35BBB21053d0f6b07eba4780146c0
• 0x7f1bafBe17e6F325BCbCC2cCde550bE37d3bc9a8
• 0x45411e22bbC2755C26ceDCe737140facAC8D164E
• 0x5e9f9e3D3c65541a630Ba91E4BB30cc043799c57
• 0x7A9652f346431992F5796CA4ab440D5bd41f0860
• 0x0DdE64a79B8267600E0E68179D2381Fd80e0f274
• 0x8fA8f9d8b228eeE6e7Df2056faA97aB23822deAE

Banana Gun’s team took swift action after the attack to ensure no further damage:

1. Immediate Bot Shutdown:

   As soon as the unauthorized transfers were detected, both the EVM and Solana bots were immediately shut down to prevent further exploitation.

2. Full Refunds:

   Affected users were promised full refunds from the Banana Gun treasury, ensuring that no tokens would be sold to reimburse them.

3. Security Patch and Bot Re-Activation:

   The vulnerability in the Telegram message oracle was patched, and both bots were redeployed with enhanced security measures.

4. New Security Measures:

   To avoid a repeat scenario, Banana Gun introduced several new layers of protection:

   • A 2-hour transfer delay to give users time to detect and stop unauthorized withdrawals.
   • Plans to implement 2FA for future transfers.
   • A full review of the back-end and front-end systems.

5. Collaboration with Security Experts:

   Banana Gun teamed up with Security Alliance to conduct further audits and penetration tests on the bot infrastructure.

This attack is a reminder of the importance of airtight security measures, especially when dealing with user funds.

Here are a few ways these projects can mitigate risks moving forward:

1. Use Multi-Factor Authentication (2FA):

   Multi-factor authentication is a must-have in this day and age. Requiring multiple verification steps can stop attackers dead in their tracks.

2. Regular Audits and Penetration Testing:

   It’s essential for projects to regularly audit their smart contracts and infrastructure. Partnering with security firms like QuillAudits to conduct penetration tests can help identify vulnerabilities before attackers do.

3. Time Delays on High-Value Transactions:

   Introducing a time delay on transfers, especially for large sums, gives users a window to catch any suspicious activity and cancel transactions before they’re executed.

4. Vulnerability Bounties:

   Consider running a bug bounty program where security researchers are incentivized to find and report vulnerabilities before they can be exploited in the wild.

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. 

Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.