This article is more than one year old

Hacker poised to pocket 2.8 million tokens in ‘compromised’ Arbitrum airdrop

Anticipation is building for the Arbitrum airdrop on Thursday, with 625,143 addresses set to receive over 1.16 billion Arbitrum tokens. But there’s a catch — a thief is preparing to cash in.

On-chain data shows that a group of 1,660 previously unconnected wallets started receiving small amounts of ETH from a single address in preparation to claim the airdrop for the Layer 2 blockchain network.

But Benny, a pseudonymous advisor at crypto risk assessment group LlamaRisk, told DL News that the wallet cluster contains many stolen wallets controlled by a single entity.

Compromised wallets

Stay ahead of the game with our weekly newsletters

“The same wallet sent funds to 1,660 wallets,” Benny said. “We know that a number of those are compromised. Some are just accounts where the private key leaked on Github or somewhere else so it’s not clear whether the hacker actually hacked all the wallets themselves.”

The outcome: The hacker is poised to claim more than 2.8 million tokens from the compromised wallets.

‘I honestly see no real reason why the Arbitrum Foundation should reward people who stole wallet credentials.’

This development could tarnish one of the most important airdrops to hit the market in months. Some in the crypto community have questioned Arbitrum’s decision not to exclude stolen addresses from the airdrop.

“I honestly see no real reason why the Arbitrum Foundation should reward people who stole wallet credentials,” DuckDegen, a pseudonymous blockchain engineer, told DL News. “They should just check if there is a sweeper bot on that address on any network, and if so assume it’s compromised and block it from airdrop allocation.”

Join the community to get our latest stories and updates

DL News reached out to Arbitrum for comment but did not receive a response by press time.

Handsome sum

Arbitrum, a 19-month old network with almost $2 billion in total value locked, plans to airdrop tokens to early and frequent users tomorrow. The high-speed blockchain is designed to help the Ethereum network scale up by making transactions faster and cheaper to process.

With estimates that Arbitrum’s token could start trading at well over a dollar, the hacker looks set to take home a handsome sum at the expense of these wallets’ original owners.

Last week, Arbitrum said it planned to decentralise governance of the network through a token airdrop. Early Arbitrum users will receive up to 10,250 ARB governance tokens each depending on how much they used the network.

NOW READ: Euler hack victim who got 100 ETH: ‘He was probably moved by my message’

Suspicion the airdrop could be gamed by a hacker has spurred DeFi devs into action. After noticing a large number of wallets receiving funding from the same address, DuckDegen set out to create software to help people with compromised wallets claim their ARB token airdrops before the hacker can.

DuckDegen created a bot that can move some ETH to a compromised wallet, claim the ARB airdrop, then move the ARB tokens out to a safe wallet. All these steps must happen within the same block – a space out about 0.25 seconds – for the best chance of recovery.

The common theme here is that the sequencer will be spammed to death no matter what. I have no idea what Arbitrum’s transaction capacity is, but this won’t end well.

However, recovering funds on Arbitrum looks harder than doing so on Ethereum mainnet. On Arbitrum, all transactions are processed centrally. This means there are no private MEV relays which let users bid ETH to have their transactions processed first. (MEV, which stands for maximal extractable value, is the deliberate reordering, inclusion, or exclusion of transactions to extract as much profit as possible).

According to DuckDegen, the only way for the wallets’ original owners to beat the hacker is to “literally spam the sequencer” and hope for the best. On Arbitrum, there is no way to know which transactions will get processed first, so the best way to get a transaction submitted to the blockchain is to repeatedly send it until it gets through.

NOW READ: Europe’s MiCA offers crypto utopia for Americans in a banking crisis. But it’s not that simple

“The common theme here is that the sequencer will be spammed to death no matter what. I have no idea what [Arbitrum’s] transaction capacity is, but this won’t end well,” DuckDegen said.

DuckDegen said he’s likely not the only one preparing to use bots to claim Arbitrum airdrop tokens. “I’m sure other bot operators are doing similar things,” he said.

Tension mounts

Signs of an upcoming battle are already starting to emerge. “Since word got out, people are starting to fight over the compromised wallets,” Benny told DL News.

He explained that on-chain data shows several parties sending ETH to the wallets while others have deployed bots that work against them to drain ETH deposits. “It’s a real battlefield out there,” Benny said.

The situation for Arbitrum is not unprecedented. In September 2021, the Solana blockchain went down after bots attempting to buy a newly-launched token generated thousands of transactions which flooded the network.

The overload knocked Solana offline for over 17 hours and required a full restart. The event caused many in the crypto community to question Solana’s level of decentralisation and resilience to “denial of service attacks” caused by bots.

Sybil attacks

And it’s not just compromised wallets that have evaded detection.

In addition to the compromised wallet cluster, Benny’s data also reveals another 1,000 wallets controlled by a different entity are set to claim 428,750 ARB tokens.

Rather than using hacked wallets, this cluster exhibits signs of “Sybil attacking” – a process in which one person creates and uses multiple wallets to spoof organic activity. In crypto, Sybil attacks are often conducted in pursuit of farming token airdrops for profit.

Documents posted on the Arbitrum Foundation Github account detail the measures taken to exclude wallets involved in Sybil attacks from the airdrop.

But analysis from blockchain researchers indicates many still remain. According to an analysis by X-explore and WuBlockchain, 148,595 Sybil addresses are set to receive the Arbitrum airdrop. These addresses account for approximately 253 million Arbitrum, or 21.8% of total airdropped tokens.