Thousands of unused Staker App smart contract wallets

[PulsarNetwork]

Related Safe Addresses

6913 addresses: https://github.com/PulsarNetwork/safe-analysis/blob/main/aggregate-66a0-df21-filtered.txt

10 samples:

0xbb7e9c0503191f7337a9b32dd6613ddcc70afe89
0x305311938fc814ec29cf89c7c945f64af6262bbc
0x7c8017cf8b8a5b14de6105500a758e39f57de068
0x05f4b2e7e1395858895c0657a572b54e43c7e129
0x21f5d99f674112b0f8132e6ed35f7d0008e074a8
0x7131e83c43d5597c46a3482b94a46514843d5f62
0xdba2abb2890d85f747497f4b4e1695e623de1b67
0xd0c7daf802dd90b55e6db99912f21c89c1cfe70b
0xab6098d02095ec4f8328f6c12c96b83fc6088ee3
0x1a92fbdd49e6258bdd771ff37d6718ad9ff96d00

Reasoning

TLDR

Staker App uses Gnosis Safe as the backbone of its smart contract wallet. It creates Safes in batches firstly. When a user signs up, it transfers the Safe ownership to user. Some Safes are never used by the user. Therefore, there is only 1 tx on chain which is the tx for ownership transfer.

Long Story

Background

StakerApp is a smart contract wallet built for HEX users. It allows users to set up a smart contract wallet of Gnosis Safe, trade and stake HEX tokens. All transactions including the wallet creation can be done without purchasing ETH to pay for gas. It is heavily integrated with Rockside, a transaction relay service to achieve gasless user experience.

Rockside website dashboard is no longer accessible, but the backend services seems to be running so far. From Rockside docs we can still get an idea of how it works. Mainly there are two ways

1. Rockside API calls user's Safe smart contract wallet to interact with dapps. doc link
   

2. Rockside API calls forwarder contract to interact with dapps. doc link
   

Wallet creation patterns

Due to the fact that Staker App had multiple major software updates in the past, there are multiple flows for smart contract wallet (i.e. Safe) creation. We identified 4 patterns that Staker App creates a Safe for user. User does not need to pay ETH in gas in all cases, but rather pay Staker App with fiat to compensate for gas.

• Flow S: Creation of Staker Team's Safe

S1: Staker Team uses Relayer to create a Safe for many different purposes https://etherscan.io/tx/0xcd75c29ee19a66e0bd1b7691ee9252411314bf76984a984e476ba2d0933ba4f6

• Flow A: Rockside relayer creates Safes and transfers ownership to user

A1: Relayer calls Forwarder to create multiple Safes https://etherscan.io/tx/0x146ec9289cb2d57c69100ef0dc150caf6a07826cbf2959f362060b28fda802bc

A2. Relayer calls Forwarder to transfer ownership from Manager 66a0 to user https://etherscan.io/tx/0xa0f04be575c53de59f75856f38273d6440dcc0526f5cdc88a2edc29f59727093

• Flow B: Rockside Relayer creates Safes. Manager transfers ownership to user

B1: Relayer creates multiple Safes
https://etherscan.io/tx/0x05a790f8677825db127804ff5a3546f856a9607dee5b174c248d506f92b023fd

B2(a) Manager 66a0 transfers ownership to user https://etherscan.io/tx/0x0108d222ace5900ce392a1c4842ae8db84f2f8b1b26885994cf0d83b9e06c73b

B2(b) Manager df21 transfers ownership to user https://etherscan.io/tx/0xa86a7890a54c3fddcd56fd6b2bc0a0e45de6be34e7d55586651390fd95f8a337

• Flow C: Manager creates multiple Safes. Another manager transfers ownership

C1. Manager 66a0 uses Team's Safe to call Safe Multisend contract to create multiple Safes https://etherscan.io/tx/0xdd2d6e3c9ce3a02707ad8bcd9661ade26b88ceccdcfa6612cb521a20981e9441

C2. Manager df21 transfers ownership to user https://etherscan.io/tx/0x5a4425ab39f2dd170eb53733bfa44947c337041d16c34e9536448f36c56dc715

• Flow D: Batch creator creates multiple Safes. Manager transfers ownership

D1. Batch creator 5769 uses Team's Safe to create multiple Safes https://etherscan.io/tx/0xfc0b485a5c48d87ad2afc77ca3a29fec8059c8da5ed890f966136b9e04c8ef21

D2. Manager df21 transfers ownership to user https://etherscan.io/tx/0x8fcd0114b4e726811221dd00273df0c60b5e17535ece9bba7a7d452588cdf466

• Summary of addresses

  • StakerApp Manager df21 https://etherscan.io/address/0xdf21b894a490cbdf49d9de7b9d780b79f7cb0ac7
  • StakerApp Manager 66a0 https://etherscan.io/address/0x66a0ff664f8509370c5d718a0f69ac1dc01f5c3d
  • StakerApp Batch creator https://etherscan.io/address/0x5769770f5efe8fb017fb09b6de3b2d096668377d
  • StakerApp Team Safe https://etherscan.io/address/0x58a0dc767ef35ad853b258e783d610bfc7205039
  • Rockside Forwarder https://etherscan.io/address/0xb8cb3a53dbe2147f8d2be89af6932757163d0726
  • Rockside Relayer (There are 6 of them and tagged by etherscan. An example: https://etherscan.io/address/0xdf4e6318689c2446bad6a813409917b16a94bfd0)

User activities

Since Staker App is designed for HEX users, many on-chain transactions are trading or transferring HEX tokens, and some are mistaken as sybils as in #331 and #166. I tend to be tolerant towards these wallets even though there are some repetitive behaviors, unless we have more concrete evidence that they perform repetitive actions on a large scale.

An example tx history of HEX user on Staker App is like this: https://etherscan.io/address/0x2dbb38ddd7ae50b215bd0359a2793974ad545f81#tokentxns. What's interesting about this address history is that, it only has one tx shown on etherscan "Transactions" section which is transferring ownership), yet it has token transfer history of trading HEX on Uniswap. This is because those token transactions (example) are initiated by Rockside relayer by calling a forwarder, and would not appear on the Safe's tx history.

Meanwhile, there are many smart contract wallet created by users but never used. In that case, the only tx history (not token transfer history) is the one for transferring ownership, initiated by one of the manager addresses 66a0 or df21.

Therefore, we must filter out these Safes with non-zero token transfer history to separate them with unused Safes.

Staker App user journey

Staker App is still available at: iOS, Android. We can actually install the wallet and try it out!

I downloaded the latest iOS version. The homepage looks like this (sorry, I took this screenshot after the wallet is being created, but you get the idea). Highlighted HEX statistics are a parallel world to our known crypto space, but they are also real!

Next, I chose to create a wallet. The first two steps are usual. It gave me a list of 24-word secret phrases and then asked me to confirm. Then it came the next step: I must purchase a smart contract wallet with App Store

I paid $9.99 with Apple Pay. Then it asked me to wait for the wallet creation. After a few minutes it's completed. I can see my wallet address:

0x11D71088349a062963523E2402CE4361D3B711C2 is the wallet I created on Sep-11-2022. By "creating" the wallet I mean paying with Apple Pay and then receiving the address in the App. This is from the user's perspective. From the on-chain history perspective, however, the the Safe wallet was created by the Batch Creator 5769 at tx 49 days ago. On Sep-11-2022, Manager df21 sends a tx to the Safe to update owners. You can see from the tx logs. It removes Manager 66a0 from the owner list and assigns a new owner. The new owner is just the EOA address for the secret phrases that I get from StakerApp.

This is the Flow D mentioned above. It's the latest flow. How about other Flows? We can confirm by the shared utilization of Manager df21, 66a0 and StakerApp Team Safe 58a0. All of them have been in use since the App's early days.

Even better, we can cross-validate on-chain tx history with StakerApp development history available on social channels. Here goes our final on-chain archeology section. We'll get to know the entire life of StakerApp through a series of hints.

Timeline analysis

1. Twitter shows that StakerApp account was registered in June 2020. Team Safe 58a0 contract was created on October 27 2020 (tx), indicating that team had been silently building when no one knew them. (Interestingly, the Safe wasn't funded until Jan-24-2021 by 0x0d0051608c23c64533d10fef230f96bd31341a54, and that wallet is a HEX whale who purchased and staked millions of HEX tokens during the market crash of March 2020)
2. Staker App v1.0 launch announcement was published at 01/25/2021 (Twitter announcement link). Starting from 01/22/2021, there was an increasing usage of Rockside Relayer 4 address calling "Forward" function. Majority of these txs are transferring the Safe ownership, which is exactly Flow A. It's likely these are team activities or early-bird users.

3. A few days later, starting from 01/27/2021, Team Safe began to send txs to create Safes and do other operations, but many of them failed. Are they experimenting with a new wallet creation workflow after the launch?

Last page of Team Safe tx history

4. There was a sudden gap of Manager 66a0 tx history between Janurary and June 2021. The first tx breaking the gas was on June 14, 2021. This was 2 weeks ahead of StakerApp's next major update announcement on Medium made on June 26 2021 (I'm seeing this in Pacific Time so it's likely the 27th of UTC time)

6. Manager 66a0 was the one who configured ownership by calling Team Safe 58a0 (this is Flow C) from June 14 till June 25 2021. If we look at tx history of Team Safe 58a0, the caller became 5769 on June 27 (this is Flow D) and the date exactly matches with Medium announcement date!
   

Conclusion

We are finally able to reconstruct the full picture with on-chain analysis, app user testing and social media validation. There are a lot of confusion over the Safes created by relayers and triggered by some centralized EOAs. Hope this analysis answers people's questions and most importantly, we are very confident to say that these Safes with only 1 incoming tx from 66a0 or df21 to configure the owner and without any token tx are unused StakerApp wallets.

Methodology

I already found those Safes with only 1 tx from 66a0 and df21 in #301 and #237. Combining them together, there are 7421 addresses: https://github.com/PulsarNetwork/safe-analysis/blob/main/aggregate-66a0-df21-raw.txt

Then, I ran this script to filter out those addresses with token transfer history. In the end 6913 addresses remained in the list. These are the final results.

Safe Address

0x984129b1C8D6048DF516D81f730475AF7D0E4223

Hope you like this report. Thank you for your time reading this!

[CaptainTee]

You're too good, sir! I love this. Keep it up

I will definitely give this a push to the forum. No room for sybillers.

I just followed you on twitter and getting to know you're one of the team building Phi, A project I love so much really excites me more

A DAO identifying airdrop farmers which is a vision of yours is interesting to me but it's painful to me that I have little to zero knowledge in coding but I really hope I can be useful in other areas. I'm in

Chatting you on twitter soon

[PulsarNetwork]

Updated graph

[CaptainTee]

Fuck me!!! 🥲

Despite reading this report and commenting few days ago, I forgot to check and compare addresses found here with my newly posted issue in #504
I have in mind to check addresses identified here before digging on tons of addresses I suspected but seems the hastiness to meet up with the submission deadline has rendered some of my efforts futile as 792 of 1222 addresses reported in #504 has already been nailed here

No problem, I will add more addresses from the ones I couldn't report due to timing constraints to the 430 that wasn't captured here.

Also, I would be glad if you @PulsarNetwork can take a look at my findings in #504 and give me some recommendations before the team check it.

[TjdnskEhdksk]

Great job

[tschubotz]

Thanks for the elaborate report. It is by far the best report we received as part of this initiative, thanks a lot for spending this effort. We were aware of Stakerapp, but didn't take the time to dig deeper. Also, as you've written before, it's most likely not the typical airdrop farming but rather unused pre-provisioned Safes. Since the SAFE allocation would be a waste, I think it's a valid report and should be considered.

It's nitpicking a bit, but your list contains 4 Safes which don't just contain the swapOwner call:

3 made more than 1 tx:

0x2e5eb2e5c7caa1df6a825f893dee87b70d510568
0x1492e1c7a350b8e8d0b0a5a880b40f777bd38b12
0x5ada55b346e3c39f35ed83e6b056dd7bda4039c4

1 Safe has some ETH stored:

0x2cc8d98e3d14432f1286bc4d7862a7d48f4604fc

• Your report contains 6913 addresses.
• 1398 have been found by others before.
• 4 addresses I would exclude as shown above.
• Leaving 5511 Safes.

I won't paste them all here, the complete list will be visible in the commit connected to this issue.

This means a quite high reward, more in the range of the guardians program / Safe ecosystem allocation rather than the user allocation. Please use these Safe token wisely and we would appreciate if you'd become an active and vocal part of our community.

[CaptainTee]

Congratulations to you @PulsarNetwork
Truly, your report is the best 👍

[MisakaCenter]

Congrats! @PulsarNetwork

[PulsarNetwork]

Thanks so much @tschubotz and Safe community! Thank you for correcting the few misplaced addresses. Happy to see the tokens go to the right hands of Safe community without being wasted. It's my pleasure to be part of Safe community. I'll think carefully how I will use the tokens to strengthen the community.