Banana Gun, a Telegram-based cryptocurrency trading bot, has confirmed a $3 million loss due to a recent hack that exploited a vulnerability in its system. Despite the significant financial impact, Banana Gun announced that all affected users would be fully refunded.
Details of the Hack
On September 19, Banana Gun users began reporting unauthorized transfers from their crypto wallets. As a precaution, Banana Gun temporarily disabled its Ethereum Virtual Machine (EVM) and Solana trading bots to prevent further losses. Initially, reports suggested that 36 users had lost a combined $2 million worth of Ether. However, a detailed post-mortem revealed that 11 users were affected, with the total loss amounting to $3 million.
Banana Gun assured its users that the refunds would come from the company’s treasury, and no tokens would be sold to cover the reimbursements.
Vulnerability and Response
The attack was unique because the hacker targeted experienced crypto traders rather than novice investors. The hacker exploited a vulnerability within a Telegram message oracle, enabling them to manually transfer Ether from users’ wallets while the trading bot was active. This breach was further confirmed through in-bot notifications alerting users to the unauthorized transactions.
After identifying and patching the vulnerability, Banana Gun restarted its bots and implemented several new security measures to prevent future incidents. These measures include:
- A two-hour transfer delay
- Two-factor authentication (2FA) for all transfers
- A comprehensive review of their system’s architecture
Negotiating with Hackers
Banana Gun’s case highlights ongoing challenges in the DeFi space, where sophisticated hackers often target high-value accounts. In another similar event, the Shezmu protocol, which experienced a $5 million hack, managed to negotiate with its hacker. On September 21, the hacker returned most of the stolen funds after accepting a white hat bounty.
Following the negotiation, the Shezmu hacker returned a significant portion of the stolen Ether and Dai tokens to the protocol.