Try   HackMD

Airdrop Post Mortem

Failures

  1. Incorrect number of tokens displayed
  2. Press Release publishing failure
  3. Poor reactions to token weights
  4. Sybil attack undetected on testnet

1. Incorrect number of tokens displayed

Users were all shown 24 tokens on January 10th. We did not notive until January 15th that every user on the list was getting 24 tokens, and the total amount was 2 Million.

How

When applying weights of each users points into tokens a script was run which iterated the list of weights and applied the formula num_of_tokens = weight / total_weight * 300,000. Instead of looping through the rows and applying the formula to each row, the python script applied the forum to the first row and then looped through the rows and applied the result of the first row to reach other row. Effectively giving everyone the 24 tokens that the first user has been rewarded

multiplier = 300000 / total_weight 

#broken code
df["token_amount"] = df.iloc[1, 1] * multiplier

df.iloc[:, [0, 2]].to_csv('final_odg_airdrop.csv', index=False, header=False)

Why

Tally team and Joseph did not notice until it was too late on Monday. The primary failure is not double checking the work enough, asking for help, or writing tests.

What should have happened

  1. Manual checks. Double checking the list manually would have revealed every account had the same amount of tokens
  2. More QA testing. Testing on multiple addresses on the website live would have revealed the same issue
  3. Delaying instead of making last minute fixes. Due to PR pressure, the team chose to try and make several last minute changes instead of delaying to resolve, but the damage was already done.

Press Release failure

Press Release on news wire failed to publish as we were flagged for spam.

Sybil Attack Detection Failure

Key Takeaways

  • Minimum nonce requirement of 7 would have prevented entire attack
  • All accounts except 1 had no chat activity
  • Security and sybil attack assessment is recommended for next airdrop
  • Stole 5.4% of airdrop
  • Drained 21% ETH initial liquidity
  • Crashed ODG price by 47%

Overiew

Discord username: nurel_
Account created May 16, 2023
All accounts created Dec 15
Bulk of transations occurred Dec 29. waited until 2 days before snapshot

First interaction Dec 8th
16 out of 22 wallets had a nonce of only 3. The highest nonce was 6.
24 wallets total, each earned 324.8722 ODG
Made ~$19,000: 16,243ODG swapped for 8.3128 ETH

Other Details

Gas funded from faucet https://arbiscan.io/address/0x1b5b4e441f5a22bfd91b7772c780463f66a74b35
All accounts except 1 had no chat activity
Most did only 3 transactions - build proxy, approve collateral, deposit

Main wallet
0x052d62a6479E3C027AFFf55385F2ba53ffe8ba58
Inactive since September 2023
Originally funded July 2023
Claimed 324.872 ODG
Bought back 413 ODG, then sold again 1 hour later
Sold on Binance
Swapped 3.80038 ETH to 3.8 WETH using MetaMask and bought $9,523 of Tether
Sold 4000 Tether on Binance
Claimed and sold the 413 ODG for 970 Tether
$21,832 (5 ETH + 4000 Tether) sold on Binance
$970 Tether remains in the wallet

Aggregator wallet
0xf491FF8b6CA44AF3978EC80E14E352c35d03D5C9
Pooled ODG from 22 sybil wallets
Performed large swap
16,243 ODG for 8.3128 ETH (~$19,000)
Drained initial ETH liquidity by 21%
Crashed ODG price by 47%
22 sybil wallets

(Maybe missing 1 wallet? 23 total)

0xe6689cEBDaE2c21Dd3c75cCd7AC5643753985A1d
username: dokivab
wallet nonce: 3

0xC8513819e4bd5B22789d10CdF9c8BcD9817E3fDB
deborah0774a
3
0x18E69094c577781bcf56012B9F42BfE1Ad091310
girenam883
3
0x5AaF40398FC3753C5C423394534BDFc6A9B2C33C
michelle6319u
3
0xE048a3d6821a4156A1544A0d96B6121d63Fa06C2
cejiv
4
0xd4aa0D98fe517f98527803f30F24D06EE6653C37
helen8739v
3
0xa1A5066C9DDb7DfD19E1f319AD364cb21131aAaF
elizabeth1360o
3
0x35A78D8055A63FCeF256a26C21855c597966791d
michelle9973p
3
0xe982150121e8385A68a08b7498775444bc257AC9
carol7908y
3
0xcD009f2791814eb191EdeA90271985f98656E911
karen6458s
3
0xf8cD5373187Ede96B1c81BA6C07A77907fa4E2D2
elizabeth6721i
3
0xda9592EAcda11463091DAa8C65C48D722A3Ac855
mary5421i
6
0x221c09362Ddc12e3F29ec4ac30B19C9F95fC0B87
lisa0815g
3
0x358BB65fF07C373903aB6F42011c48B3605eB1a2
carol6337w
3
0x66E1823FfAb48C147b019Ea9a5A0b3A1DF680ECA
ruth6081h
3
0xd8E9C4397757938f705FD5c36BA171A879905798
donna9459r
6
0xb5011b2FD7BB19e205DC09C39E617DFA9ECd6d12
carol9952d
3
0x77FFeEB8B3bFa91c53075998F8F50DfCdc266be5
donna5180a
3
0x866D9431033507d8e546C8Cf38AC8028Bf278522
sandra9297c
3
0x204C551D0eaBF5988B77c246A67c119E0363BB0b
zdbggyvawywp
Dec 8
6
0xcCf69Ad860507F0E3c67C3ADC3A7d5238aA657Ea
zyrdomcuongym
Dec 8
6
0x7c7A1C32D1CF038d8ECF4D72B0EC9a3A920978D5
mimoza__ - Has chat activity
Dec 8
6

Last changed by 
Joseph Schiarizzi
0
68

Read more

List of changes between Liquity V2 (bold) and Nerite (USDN)

)

Jan 29, 2025
Content and Marketing Coordina

Content and Marketing Coordinator

May 23, 2024
Open Dollar Production Deployment Parameters

// SPDX-License-Identifier: GPL-3.0pragma solidity 0.8.19;

Apr 22, 2024
Open Dollar mini Relayer Audit project

scope for od-relayer auditRepo: https://github.com/open-dollar/od-relayerCommit hash: 48224adFiles:factories/CamelotRelayerChild.solfactories/CamelotRelayerFactory.solfactories/ChainlinkRelayerChild.solfactories/ChainlinkRelayerFactory.solfactories/DenominatedOracleChild.solfactories/DenominatedOracleFactory.solfactories/FactoryChild.soloracles/CamelotRelayer.soloracles/ChainlinkRelayer.soloracles/DenominatedOracle.soloracles/ChainlinkRelayerWithL2Validity.soloracles/DataConsumerSequencerCheck.solutils/Authorizable.sollibraries/Math.sol

Apr 11, 2024
Read more from Joseph Schiarizzi
Published on HackMD