DeFi Detectives: Chef Nomi Investigation Notes

Last week I had a lot of fun with the latest blockchain investigation competition put together by folks at Anchain. The competition spanned two weeks and included a number of questions challenging players to dig through Ethereum blockchain transaction and smart contract data. In addition to many freely available tools, participants were also offered a free license of Anchain’s CISO blockchain analytics platform which made the analysis a lot easier.

In this writeup I will discuss blockchain analytics tools, techniques, and lessons learned while solving challenges. I will only focus on solving the last (and hardest) challenge investigating the infamous exit scam and the eventual return of funds by SushiSwap’s Chef Nomi back in September, 2020. My goal is to share the investigation steps so that you, the reader, would also be inspired to participate in future contests or may be even make this your future career. Check out my Blockchain Threat Intelligence newsletter for ideas on how to contribute to this field. If you would rather see the solution and investigation files, just scroll down to the report section of the article.

Here is the challenge question:

On September 5th Chef Nomi, the original creator of SushiSwap, cashed out around $14M from SushiSwap and gave it back on September 11th. Can you find what happened on CISO? List the accounts involved here:

The investigation begins with the transaction above where 38,000 ETH are transferred between 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd and 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76 addresses:

AnChain CISO: 38,000 ETH transaction on September 11, 2020.

The exact transaction hash was referenced by Chef Nomi in his apology tweet on September 11th, 2020 where he implies that all of the withdrawn ETH was returned to the treasury account:

Twitter: Chef Nomi’s apology tweet

Lets figure out what these addresses are starting with 0xf942db (short for 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd). Etherscan labels this address as SushiSwap: Deployer. Indeed looking at its early transaction history it was used to deploy the SushiSwap: SUSHI Token contract on August 26th:

Etherscan: SushiSwap: SUSHI Token deployment

Chef Nomi was the only person who could have deployed that contract, so we can confidently associate 0xf942db address with him or her.

The 0xf73b31 (short for 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76) address is even more interesting since it is actually a Multi-Sig Wallet deployed by the very same 0xf942 address on September 3rd, 2020:

Etherscan: Multi-Sig contract deployment

Interesting! So Chef Nomi transferred 38,000 ETH from a known personal Ethereum account to a Multi-Sig wallet they have created in the first place. The beauty of Multi-Sig contracts is that it’s possible to query wallet owners to better understand who actually controls it. For this we can use Etherscan’s convenient contract read feature to enumerate owners:

Etherscan: Multi-Sig getOwners() output

Notice that Chef Nomi’s 0xf942db address is completely missing from this list above. In fact, Chef Nomi made a transaction to change ownership from 0xf942db to 0xd57581d9e42e9032e6f60422fa619b4a4574ba79. Once again, Etherscan is amazing at giving us a detailed transaction event log:

Etherscan: Multi-Sig change ownership transaction

Who is this 0xd57581? Searching for this address on social media, a curious exchange showed up between Chef Nomi’s twitter account @Nomichef and FTX Exchange CEO’s twitter account @SBF_Alameda:

Twitter: @SBF_Alameda publishing his Ethereum address

Based on the above exchange, FTX CEO has agreed to take over the SushiSwap project and published his Ethereum wallet address from the official twitter account as proof of ownership. Following the deposit, @SBF_Alamdeda (0xD57581) proceeds to deposit 5.57m SUSHI to the Multi-Sig contract (0xf73b31) that he just purchased on Uniswap:

Anchain CISO: @SBF_Alameda depositing 5.56M SUSHI into the Multi-Sig address

Shortly after, @SBF_Alameda proceeds to withdraw 38,000 ETH as a compensation. The exchange is illustrated in the transaction trace below:

Anchain CISO: @SBF_Alameda withdrawing 38,000 ETH

While the exchange implies that the 0xf73b31 plays an important role in the SushiSwap ecosystem, it is not clear exactly why it was chosen for these transactions. In order to understand this piece of the puzzle, let’s take a look at how the reward system works on SushiSwap.

In the Medium post (now deleted) announcing the SushiSwap project, Chef Nomi mentions a Project Sustainability/Dev fund:

Medium: Project Sustainability Fund

Looking at the project’s source code, I found the following line which implements reward logic in MasterChef.sol:

Github: SUSHI rewards to Dev fund

The address for the Dev fund is stored in the variable devaddr and is defined in the smart contract constructor at initialization time:

Github: Dev fund address initialization

According to the Medium article, the MasterChef contract was deployed at 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd. Let’s look at Etherscan to see what it was set to at contract deployment time by looking at the very first transaction:

Etherscan: MasterChef contract deployment transaction

The input data is unfortunately difficult to decipher; however, we can find constructor initialization data at the bottom of the input data blob:

Etherscan: Masterchef contract deployment payload

Each of the constructor variables is of size uint256 making it easy to split up into individual parameters:

Constructor Parameters

Conveniently these parameters match up with the source code giving us the parameter of the devaddr. It is explicitly set to Chef Nomi’s address:

Github: Masterchef.sol constructor variables

This allowed 0xf942db to collect 10% of all minted SUSHI which Chef Nomi eventually cashed out on September 5th, 2020. However, if we look at the current state of the variable, we will find a completely different address:

Etherscan: MasterChef contract devaddr variable

The address corresponds to the Multi-Sig wallet where Chef Nomi returned 38,000 ETH. The 0xf73b31 address is in-fact the new treasury account collecting 10% reward that @Nomichef mentioned in their tweet. There is only one function which can update the devaddr variable in the contract:

Github: MasterChef.sol function to update devaddr value

We can quickly locate the call to that function by scanning the function call activity provided by

Bloxy: Smart contract function calls

There was only one function call to the dev(address) function. Chef Nomi executed it on September 5, 2020, a few minutes after dumping SUSHI on Uniswap:

The call includes the new devaddr parameter 0xf73b31 which defines the new Treasury or Developer fund account.

At this point we can build a more complete report and timeline of all of the events from the initial creation of the SushiSwap project all the way to the event at and surrounding the September 11 transaction in the challenge:

SushiSwap Investigation Report

@Nomichef is an anonymous developer who has created SushiSwap DeFi contract on August 26, 2020. The contract included a developer account controlled by @Nomichef which collected 10% of all minted SUSHI tokens. On September 5, 2020, @Nomichef emptied ~$14M worth of SUSHI from the developer account and exchanged it for 38011 ETH on Uniswap. @Nomichef also set a new Multi-Sig contract as a new developer account to collect SUSHI rewards.

After the public outcry, @Nomichef has transferred 38,000 ETH to a previously created Multi-Sig contract which is now controlled by FTX Exchange’s CEO, @SBF_Alameda. @SBF_Alameda in turn deposited 5.57M SUSHI and withdrawn @Nomichef’s ETH as a compensation. The multi-sig developer account is one of the largest DeFi whale accounts worth ~$9B at the time of the analysis.

Blockchain Analysis

The following blockchain analysis graphs were produced using Anchain CISO to document transactions on Ethereum blockchain related to the case:

ETH Transactions:

SUSHI Transactions:

Events Timeline

Addresses Guide

  • 0x6b3595068778dd592e39a122f4f5a5cf09c90fe2Sushi Token contract
  • 0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd — SushiSwap: MasterChef LP Staking Pool, also largest liquidity position on SushiSwap
  • 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd — @NomiChef account / SushiSwap: Deployer / Devshare account which gets 10% of every SUSHI distribution
  • 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76 — Contract: MultiSigWalletWithDailyLimit / New Devshare account
  • 0x80c5e6908368cb9db503ba968d7ec5a565bfb389 — Zapper.Fi Uniswap
  • 0xCE84867c3c02B05Dc570D0135103d3fb9cC19433 — Uniswap V2
  • 0xD57581D9e42E9032e6f60422fA619b4A4574Ba79 — @SBF_Alameda — FTX CEO

Stage 0: Setup

2020–08–26 12:28:07 PM UTC — @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd) deploys SUSHI Token contract (0x6B3595068778DD592e39A122f4f5a5cF09C90fE2)

2020–08–26 01:00:51 PM UTC — @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd) deploys MasterChef LP Staking Pool (0xc2EdaD668740f1aA35E4D8f227fB8E17dcA888Cd). The constructor explicitly sets devaddr to f942dba4159cb61f8ad88ca4a83f5204e8f4a6bd:

2020–09–03 01:16:40 PM UTC — @Nomichef deploys Multi-sig wallet 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76

Stage 1: The exit

2020–09–05 09:20:10 AM UTC — @Nomichef initiates a transaction to Zapper.Fi Uniswap (0x80c5e6908368cb9db503ba968d7ec5a565bfb389) contracts:.

In this transaction 5.0249m SUSHI are used to open up SUSHI-WETH liquidity pairs on Uniswap V2 (0xCE84867c3c02B05Dc570D0135103d3fb9cC19433) and Zapper.Fi (0x80C5e6908368CB9db503BA968D7ec5A565BfB389) platforms for the amount of 38860.1622 WETH total.

2020–09–05 09:33:19 AM UTC — @Nomichef changes devshare account address from 0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd to the Multi-Sig wallet 0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76:

2020–09–05 11:57:05 AM UTC — The pair was liquidated for the amount of 38011 ETH which was transferred back to @Nomichef (0xf942dba4159cb61f8ad88ca4a83f5204e8f4a6bd)

Stage 2: The return

2020–09–06 06:29:00 AM UTC — Agreement is reached to return funds to the multi-sig wallet and transfer control to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79):

2020–09–06 07:32:34 AM UTC — Multi-sig wallet owner is replaced from @Nomichef to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79).

2020–09–11 03:25 PM UTC — @Nomichef transfers 38k ETH back to the SUSHI multi-sig wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76)

2020–09–11 03:31:00 PM UTC — @Nomichef makes an apology tweet and describes him transferring 38k ETH to a treasury multi-sig account.

Stage 3: Payback

2020–09–15 01:13:46 AM UTC — @SBF_Alameda begins accumulating 39699.94 ETH from Bittrex (0xfbb1b73c4f0bda4f67dca266ce6ef42f520fbb98) and another unknown exchange (0x964d9d1a532b5a5daeacbac71d46320de313ae9c) in a series of transactions:

2020–09–15 02:06 AM UTC — @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) finishes exchanging exchanging ETH to SUSHI on Uniswap. This is the last transaction in the series:

2020–09–15 02:15:46 AM UTC — 5.57m SUSHI are transferred from @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) to the multisig wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76)

2020–09–15 04:42 AM UTC — 38,000 ETH are transferred to @SBF_Alameda (0xd57581d9e42e9032e6f60422fa619b4a4574ba79) from the multi-sig wallet (0xf73b31c07e3f8ea8f7c59ac58ed1f878708c8a76) completing the exchange.

2020–09–15 05:50 AM UTC — 39200k ETH are transferred from @SBF_Alameda to 0x9f9643c8b413b32c3a1270068487f341e5be8bfd in a series of transactions of the form (4000 ETH, 4010 ETH, 4020 ETH … 4080 ETH, 2870 ETH). Sample transaction in the series

2020–09–21 06:10:03 AM UTC — 1,000,000 SUSHI are transferred from the Multi-sig treasury account to @SBF_Alameda.

Blockchain Security, Malware Analysis, Incident Response, Pentesting,

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store