1. July 6, 2022, a Wednesday that couldn’t be more ordinary.
Programmer Xiaosan finally finished the final contract test, turned around in the ergonomic chair, and stretched excitedly.
“Okay, next is another task for today - building and deploying an Ethereum staking node.”
Two months later, Ethereum is about to merge, and Xiao San has 289 ETH in her wallet, and she plans to pledge them for financial management.
“But the ledger wallet seems to have a bug today? Forget it, I’ll just transfer it to the account where I deployed the contract. Anyway, publishing and testing the contract will consume some gas.”
After typing out the transfer script, Xiao San went to make a cup of coffee. It was an ordinary latte, just like this ordinary Wednesday.
After making coffee, Xiao San started refreshing Etherscan while drinking it to see if the transaction she just sent was confirmed. "Hmm? It seems that the receiving account is not correct?"
Suddenly, Xiao San's heart skipped a beat, the coffee in her hand slipped to the ground, and she felt cold in her hands and feet:
“It’s over! I sent 289 ETH to the Hardhat test account!”
2、
Hardhat is the most mainstream and commonly used development framework for Ethereum. It provides a series of tools and functions to facilitate developers to develop, test and deploy smart contracts on the Ethereum platform.
For developers, Hardhat has one of the most important functions, which is to create or fork an Ethereum environment locally for local testing of contracts.
When you execute the npx hardhat node command locally,
Hardhat will create a simulated network locally and generate 20 fixed test EOA accounts and corresponding private keys.
At the same time, Hardhat will also initialize the configuration of 10,000 ETH balance for these 20 EOA accounts to facilitate developers to use these accounts to publish local contracts for testing.
(With 20 accounts worth hundreds of millions, I'm the king of localhost!)
Please note that this local simulated network has nothing to do with the Ethereum main network, and the 10,000 ETH balance on these 20 EOA accounts is only local.
However, since the 20 generated accounts are fixed and the private keys are public, anyone on the Ethereum mainnet can use these private keys to withdraw the assets in these accounts.
If an engineer forgets to switch environments after completing contract testing, treats the test environment as the main network environment, and sends ETH to these 20 test accounts, then a tragedy will occur...
3、
As described above, on July 6 last year, a sum of 289 ETH was sent to the Hardhat test account by a friend named threepvault.eth
0xf39Fd6e51aad88F6F4ce6aB8827279cffFb92266
Why is the account 0xf39F? It is the first test account generated by Hardhat, so it is the most commonly used.
So it is speculated that this unlucky programmer copied the first test account to do the test, but forgot to switch the configuration and sent 289ETH to the address of this test account on the main network.
If calculated based on the currency price at the time, 289 ETH was worth 340,000 US dollars. If it were put into today's value, it would be worth more than 500,000 US dollars, a tragedy of 3 million RMB.
What happened next? Let’s look at the on-chain data:
This erroneous transfer occurred in block 15086827, when Ethereum was still in the POW era.
This block was a Flashbots block, and a MEV Searcher was lucky enough to capture this Backrun "opportunity".
This erroneous transfer was included in a MEV package, and the arbitrage transaction followed closely. After paying a gas fee of 4.8ETH, the remaining approximately 284ETH in the Hardhat test account 0xf39F was transferred to the account 0x043D.
From 100ETH to 10ETH to 1ETH, and finally even 0.1ETH:
At this point, the assets worth 2 to 3 million RMB are gone forever.
4、
40 minutes after the tragedy, our victim came online.
He sent an NFT to the hacker. This NFT is called Message In a Bottle, which can package a piece of text into a picture and cast it into an NFT.
In this NFT, he described his mental journey:
hello I was tring to stake a validator node
tonight. Had to send eth to a hot wallet due to a ledger bug.
Thought I was sending it to my contract deployer wallet.. turns out it was a public hardhat test account.
I'm typically pretty careful (hw wallet, send small test transactions) but was careless tonight. Feels bad man.
On the off chance you see this, I'd love to try to negotiate a bounty or something similar. I made a really stupid mistake
translate:
Hi, I want to stake a validator tonight. Due to a bug in ledger, I have to send eth to a hot wallet.
I thought I sent it to my contract deployment wallet... and found out it was a public Hardhat test account.
I'm usually very careful (hardware wallet, sending small test transactions, etc) but was careless tonight. Feels bad.
If you see this I'd love to try to negotiate a bounty or something like that. I made a really stupid mistake
5、
However, the hacker ignored the victim.
Five hours after the tragedy, the owner of the 0x043D account, the MEVSearcher hacker, came online and skillfully began to transfer assets, breaking up the 284 ETH into small and large amounts and transferring them to Tornado.
6、
However, the story does not end here.
15 hours after the tragedy, our victim was online again.
After losing 289 ETH, I don’t know how the victim managed to survive these 15 hours.
Now he should have accepted the reality of losing 289ETH, but not completely.
The victim purchased an ENS domain name called
willpay100ethiffundsarereturnedtothreepvault.eth (If you return the money to me threepvault, I will pay you 100 ETH), and sent this domain name to the hacker and made his Offer.
Maybe he wanted to convey a message in this way, hoping that the hacker would have a change of heart or show mercy and transfer the 189 ETH back to him.
In March 2023, more than half a year has passed since the tragedy. The hacker's address has not made any action, no transaction has been issued, and the victim's account has not received any deposit from Tornado. I think this story ends here, and there should be no follow-up. This is the dark forest. No one will pay for your mistakes. All you can trust is yourself.
