What happened with the recent $5.2m transaction fee transfers on the Ethereum blockchain?
Earlier this month two mysterious transactions were broadcast on the Ethereum blockchain. But it wasn’t the amount of ETH they were transacting which brought attention to them … it was the super large transaction fees.
Whilst the average fee on the Ethereum blockchain is less than half a dollar these two transactions had a combined transaction fee of $5.2million!
https://etherscan.io/tx/0xca8f8c315c8b6c48cee0675677b786d1babe726773829a588efa500b71cbdb65
https://etherscan.io/tx/0xca8f8c315c8b6c48cee0675677b786d1babe726773829a588efa500b71cbdb65
Initial speculation over the cause of these excessively large transaction fees was mixed — some thought it may have been a fat finger blunder (which would have left the culprit red faced and probably looking for a new job), a bug in a company’s automated transaction processing software, a creative attempt at tax evasion or even something more nefarious.
Ethereum co-creator Vitalik Buterin offered up his hypothesis based on research from PeckShield (a blockchain security company):
Whilst the industry debated about the who and the why, the companies who mined the blocks with these transaction fees attached froze the payment out to their mining pool members and released statements offering the opportunity for the address owner to come forward. For one of the mining pools, SparkPool, this wasn’t the first time they had received an extra large transaction fee — in 2019 they received and later 50:50 split a 2,100 ETH fee out after it was discovered to be sent in error by a South Korean blockchain firm.
However, just a few days later the reason for these large fee payments was revealed by PeckShield and shown to be, as Vitalik had also suspected, a blackmail attempt.
The owner of the associated addresses was Good Cycle, a small South Korean peer-to-peer exchange who sent SparkPool and Ethermine a transaction from the address with the message “I am the sender” to prove their ownership of the funds.
PeckShield noted in their analysis that Good Cycle had poor security protection (including using HTTP rather than HTTPS encryption), had allegedly suffered a number of hacks already (based on announcements on their websites) and was likely to be a Ponzi Scheme project.
So how exactly would a blackmail attempt like this work … let’s dig into this …
It seems that the accounts holding Good Cycle’s ether were multi-sig — as such they required not just one private key but a number of private keys to move the associated funds. This is certainly a better way to protect your ether as it means any attacker must compromise more than one key, however what the attackers discovered was that with just one private key they could move the funds to a whitelisted account — also owned by Good Cycle. Whilst this didn’t move the funds into an account owned by them, it did mean they could send a powerful message to Google Cycle — give us access to move these funds into our possession or we’ll spend your ether. It’s reminisent of two toddlers having a tantrum where one decides that if she can’t have the toy then she’ll break it so that at least you can’t either.
So in this case, the attackers created two transactions from the compromised account to the whitelisted account and set the transaction fees to a staggering $2.6m worth. As the account had a little over $11m worth of ether in, this was a signal to Good Cycle to either pay up or lose out.
It’s unclear what happened next between Good Cycle and the hackers, however there continued to be activity in and out of the compromised account: https://etherscan.io/address/0xcdd6a2b9dd3e386c8cd4a7ada5cab2f1c561182d
But what about the fees?
Around 4 days after the hack, one of the mining pools, Ethermine, announced that they had distributed the fees across their mining pool members. However the other lucky mining pool, SparkPool, had set a time limit for the affected party to come forward and Good Cycle managed to send their ownership message just in time so one would suspect they’re in conversation with SparkPool trying to persuade them to refund the fees.
