# Help the Helpers My name is Cordt Hanson. I am a longstanding member of Osmosis Support Lab, volunteer community manager to many groups and am sort of known as "that guy anyone can ask for help with any issue, anytime". I've been an extremely active member of almost every IBC community from the day they were launched, since around the beginning of Osmosis chain, so if I don't know the answer it's pretty likely that I know someone who does. None of that really matters though. this is not about me, this is about something much bigger. This is about not losing sight of what makes Cosmos different from something like EVM, or Tron, or any other ecosystem. This is about the community. During this time I have come to meet, and work with many amazing groups and unique individuals who truly have no goal in mind but to be able to support themselves and their families, and do so by providing services that undeniably better this ecosystem by educating and making efforts to protect all users and all different communities against the unavoidable and ever-persistent scams. Not only are scammers active 24/7 [many are automated bots] but their sheer numbers and persistence [they will get their accounts/groups deleted and be back within 10 minutes multiple times in the same day] mean this is coming at ever user, from every angle, at every minute of the day, interacting with any socials, looking for any information or help, and through any channel. They reply immediately to every tweet. they set up completely fake telegram and discord groups for every coin and project, wallet app, you name it. They *clone entire Telegram groups*, including the admins and regular or well-known users, and repeat their messages. Some are clever enough to bait their victims in with *legitimate advice* before pulling the scam. <br> To avoid or stop them is an unwinnable war. Every accessible platform has hundreds, maybe thousands of undetectable and unstoppable bot accounts that jump at anyone the second they display anything to indicate they have an issue. [**Type a bunch of random "help-related" words in just about any Telegram group right now. I urge you.. go to Celestia, Cosmoshub, Osmosis Telegram groups and type "*hi admin help wallet support withdraw funds stuck airdrop claim staking how when why anyone new*"**] It works. It has worked for a long, long time and it will continue to work. It works based on psychology. Panic causes critical thinking to instantly go out the window. Scammers know this very well, which is why the scams from the outside appear incredible obvious, and their victims "just stupid". I would be lying if I said I had never thought the exact same thing, and maybe it is true in some cases. This doesn't mean that anyone deserves this, and we *certainly* should not be making it easier for them to irreversibly steal all of their victims assets. <br><br> It has taken these guys over 2 years to learn virtually anything at all about how to scam better, Pretty much anyone with any knowledge of the network and basic scripting skills could easily wih most of the time. Several small groups of regular people with support or chain infrastructure backgrounds have done very well over the years recovering wallets for anyone who has been scammed and who has their funds unstaking etc. I know (and personally advised) some users who were able to get their assets just by using the wallet app at the right time. Recently however, they have become noticeably better (or clever enough to pay someone much smarter to build them some tools), but after 2 years they are finally doing it.. I would never suggest any usre try this themselves at this time, as success is exceedingly unlikely, and although the recovery services have an overwhelmingly positive success record, they are not perfect and some very, large wallets come across their desks regularly which are usually a sign of a difficult recovery ahead. Regardless of the 'size' or the value of recovery, they always do it responsibly, and with equal effort. ###### *They do "KYC" through the only method is reasonably practicable considering the circumstances. One of them is taking steps to go fully official with a vetted, third party KYC service. I will not disclose further details, but that I assure you they all do the most they can possibly do in this regard.* <br><br> Due to some newly implemented features, confusing default parameters, or a complete lack of reasonable limitations on others, these efforts have been made increasingly difficult due to several factors: - the increasingly common knowledge of the existence of the 'authz' module - the creation and implementation of the 'LSM' module - the publicity and popularity of the IBC ecosystem overall - 'cancel undelegation' providing a way to simply waste the time of anyone attempting recoveries - the inability to pay any transaction fee from any account other than the one making the transaction Aside from the final point which I don't know how to implement without potentially creating new issues, there are a few small changes either positive [reduce 'tx spam wars' / congestion] or at worst neutral to the networks. None of it to my knowledge hinders genuine users or practical on-chain activity, but will all ease the ever-increasing cost and difficulty for those regularly saving up to 5 wallets *per day* containing anything from dozens, hundreds, thousands, up to *hundreds of thousands* of dollars in value for users of almost every IBC chain. - add a reasonable limit to 'authz' grants, both as granter and grantee - set the initial state of the liquid staking module for new wallets to 'disabled' - implement a cooldown timer for cancel undelegations equal to 1.5 or 2 times the undeelgation length <br><br> The details below showcase a few recent scams or attempted scams. This clearly shows rapid advances in their processes, which will only continue to become more and more prevalent with an increasing userbase, and increased value overall. <br><br> <details> Some wallet apps like keplr extension, keplr mobile, and leap extension implemented some additional safeguards to combat this, but there are still many ways to slip it past, and some users simply ignore it and blow through it anyway. Focus on the last 9 tx, starrting at height 19574950 where he did the authz tx. This is how good they have gotten at these scam scripts. Guy signs one tx and without even really missing a block their entire account is undelegated, liquid staked, de-pooled, whatever, and completely drained in 8 tx. `https://www.mintscan.io/cosmos/address/cosmos190p5jzq5r9upyx2py8zpejf6kdr27063shmu82` ![image](https://hackmd.io/_uploads/H1-7ORmRp.png) </details> <br><br> <details> Using clever authz grants is a fairly new but very rapidly evolving tactic that is noticeably more prominent when airdrop activity grows. They aren't always that clever though, and they don't really need to be -- once the grant is made and funds are removed,it becomes extremely difficult and time consuming to reverse. `https://www.mintscan.io/cosmos/tx/D9D3A81F5BEA8DFCEAD9693E96595FA759F4D655701FF4FBABCA56F345F35F87?height=19554189` ![image](https://hackmd.io/_uploads/B1ku_AQAT.png) </details> <br><br> <details> Similar to the above, once the scammers realized what is possible (revoking over 2000 grants from a single wallet at once) they simply started adding more and more grants so it becomes next to impossible to remove all of them. The congestion on chain here will be incredible for some of these 'spam wars' `https://www.mintscan.io/cosmos/tx/0D8F9EFCF3475FE159268E612717A909B38001D547AB6A53A3BC51AB039DE871?height=19115577` ![image](https://hackmd.io/_uploads/rkI9OCmA6.png) </details> <br> <br> <br> <br>