26 million TRX stolen behind the Rashomon – Episode 2

Guide: With the investigation of the new day, more evidence has been discovered by all parties. The truth of this incident is gradually surfaced, and the degree of drama is comparable to an annual drama. At the end of the article, I also attached the wealth code of wojak. Readers who have not read the previous article, please read the first episode of this event, " Romans Gate Behind the 26 Million TRX Stolen "

Note: The information collected in the following surveys is all from the Scord channel Scam Watch, the Telegram group “TronBank Guardian Rights”, and the chat history of DappReview and related parties.

Wook reversal refund

Since the wojak appeared at 9 pm on May 3 and posted a refund comparison list, it disappeared from Discor again. During this period, many people began to label the wojak with Scammer and thought that he would not refund. It may have been on Lamborghini for a holiday, and such remarks are endless.

12 noon on May 5

Wojak appeared again, claiming that "I invested 8 hours to write tools to give everyone a refund. When I finished writing the code, I found that everyone was thinking of me as a liar, but I didn't realize that Tronbank was putting the back door pit. Your people. You would have lost all your investment. But after seeing you treat me as a liar instead of a developer, I don’t think I have any reason to return TRX to you."

This remark was refuted by everyone. Wojak insisted that what he did was not illegal, he was not a thief, he just initiated a transaction to call a smart contract and obeyed the rules of smart contracts. Since then, wojak has never said the possibility of a refund , but let everyone go to Tronbank to make a claim.

Evidence begins to point to TSC developer Khanh

12 noon on May 5

While the truth is still in the midst of a mysterious fog, a developer in the telegram (requesting anonymity) found a key piece of evidence that reversed the direction of the investigation and brought more information out of the water.

TTX5N2wxLeyWBSNE6UeaBjCFZbpa2FH6jr This address deployed a "test contract" (contract address TYZ4oPdPmwZS9xTUXhnFtQkPFFTi2iAydz) with the same back door as the TRX Pro contract on April 28, and tested the back door on April 30th.

As shown in the figure above, the TTX5N** address sends the 0.011911 TRX call with the same function in the same way, triggering the backdoor and picking up about 100 TRX that it has previously stored.

In other words, about 4 days before the stolen time (4 am on May 3), this back door and its calling method are already known. When we decompile the test contract and compare it with the TRX Pro stolen contract, it is not difficult to find:

Decompile tool:


The back door parts of these two pieces of code are exactly the same!

What's even more amazing is that the "test contract" deployment time is 5 hours and 23 minutes earlier than the formal contract deployed by the project side .

There is no doubt that the TTX5N** address must be irrelevant to this backdoor event.

And who is the owner of the address?

Open TSC's website https://tronsmartcontract.space and click on About Us

This is the address owned by TSC developer Khanh.

At this point, developers of Discord and tg groups began to sort out the contract deployment and call information of Khanh address and Tronbank developer address, and sort out the following timeline.

Amazing timeline

The above is the timeline combed in the Discord channel (both UTC time). Below we will sort out the details according to Beijing time.

4/28/2019 4:07 PM

The TronBank developer deployed the TRX Pro test contract, which did not find the backdoor by decompilation. The contract address is:


4/28/2019 5:35 PM

In just one and a half hours, the TTX5N** , owned by TSC developer Khanh, deployed the "test contract" mentioned above. There is a backdoor code in the contract. The contract address is:


4/28/2019 10:48 AM

The Tronbank developer has deployed the official version of the TRX Pro contract, which is a stolen contract with a backdoor code . The contract address is:


4/28/2019 11:00 PM

After 12 minutes, TSC developer Khanh called the official version of TRX Pro and sent 0.011011 to test the back door. The transaction record is:


4/30/2019 10:12 AM

TSC developer Khanh called his own "test contract" for the backdoor deployed at 4/28/2019 5:35 PM, triggered the back door , and took away the 100 TRX that he had charged. The transaction was recorded as:


5/3/2019 4:11 AM

Wojak called TRX Pro's official version of the contract withdraw function, the first one was transferred to 0.000123, and there is no effect, the transaction record is:


5/3/2019 4:12 AM

After 1 minute, wojak called TRX Pro's official version of the contract withdraw function, transferred to 0.011911, successfully triggered the back door, and took away the contract balance of 26.73 million TRX . The transaction record is:


Based on the above information, two facts can be summarized:

1. The test version of the contract before Tronbank went online, there is no back door, but the final online official version has a back door;

2. TSC developer Khanh deployed a contract with the same backdoor on the day of the Tronbank beta release and knew how the backdoor was invoked and tested it on April 30th. In other words, the back door is not related to the TSC.

In the communication with the Tronbank team, the developers mentioned that they were compiled using TSC. (DappReview cannot verify for the veracity of the statement)

Note: The following content is based on the possibility of existing facts, does not represent the final conclusion and the truth, please do not take it out of context when you spread again.

In the first article, " Romans Gate Behind the Twenty-six Million TRX Theft, " we mentioned three possibilities.

Possibility One: Tronbank developers placed backdoors in the actual deployment of the contract, and successfully deceived TSC to complete another code verification without backdoor.

Possibility 2: The Tronbank team colluded with the TSC team to deploy a backdoor contract, and TSC assisted in completing the verification with another contract without a back door.

Possibility 3: The Tronbank team did not place a back door in the contract, but the back door was generated in some way during the contract deployment process.

According to the updated information grasped above, the first possibility is rejected because the TSC developer is the earliest caller of the back door in the whole incident, and there is no uninformed deception, and the probability of the third possibility is extremely high. The earth has increased.

TSC integrates a one-stop service for compiling, deploying, and verifying. In theory, if developers use TSC to compile and deploy, it is possible to increase the backdoor code during the period.

On the day of the incident, on May 3, Discord asked why the TRX Pro's actual running code was inconsistent with the verification code. Khank's response was as follows:

Response at 7:22 am: I just got up and heard the news, let me scan all (code)

Respond at 9:18 pm: Sorry, I don't know why they passed my code (verification)

On May 5, when Khank’s address was deployed on the back door and the evidence was called, Khanh’s response was as follows:

Mr Fahrenheit: How do you explain that your address has been called for another contract that can trigger a backdoor transaction?

Khanh: My private key is leaked, and the password for github is also leaked.

This response is obviously too pale. On the one hand, people questioned why the official website still hangs this address if the private key is leaked. On the other hand, there are 28,052 TRX (worth about 4400RMB) in the address that has not been transferred.

At this point, based on the existing information, objective analysis, the possibility of existence (note that only the possibility is discussed here, even if the possibility is extremely low, the truth does not currently have any real hammer evidence) are still the following:

Possibility 1: The Tronbank team colluded with the TSC team to deploy a backdoor contract, and TSC assisted in completing the verification with another contract without a back door.

Possibility 2: The Tronbank team did not place a back door in the contract, but the back door was generated in some way during the contract deployment process.

Of the above two possibilities, the current evidence is biased towards the second possibility. The Tronbank team is currently communicating with Khanh several times and posting some of the dialogue screenshots. The Tronbank team insisted that no backdoors were placed. It is the culprit that points to the TSC to really place the back door. Although there is no definitive evidence that the back door was placed by Khanh, TSC and Khanh themselves and the back door have been unable to get rid of it.

Possibility 3: Khanh's github account was stolen, the address private key was leaked, and there was another person behind the scenes.

In this regard, according to the existing evidence, the possibility is low, Khanh's response is vague, and there is no evidence of account theft (such as github-related mailboxes suggesting unsafe login, password modification, etc.)

At this point, the final puzzle has not been solved yet.

This annual drama has not yet come to an end

More evidence remains to be discovered

Wojak's wealth password

Throughout the incident, the magical trade of wojak is still the topic that has been talked about in the masses of this event. What kind of tricks can the auto-executable code find the back door and trigger the back door?

In the dialogue between DappReview and wojak, the answer is given:

Wojak was inspired by a paper in August 2018, "TEETHER: Gnawing at Ethereum to Automatically Exploit Smart Contracts"

What does the paper mainly talk about?

  • Based on the underlying EVM instructions, a general definition of a smart contract with vulnerabilities is proposed;
  • The TEETHER tool is proposed, which can automatically identify the vulnerability of the smart contract bytecode and generate the corresponding exploit code.
  • A large-scale vulnerability analysis was conducted on 38,757 smart contracts deployed in the Ethereum blockchain. The TEETHER tool discovered vulnerabilities in 815 contracts and the entire process was fully automated.

In an inappropriate but popular metaphor: the TEETHER tool is an ATM machine that automatically finds vulnerabilities and withdraws money from smart contracts.

What did wojak do based on this article?

1. Adapt the TEETHER tool to the wave field virtual machine

2. Collect all smart contracts on the wave field

3. Perform TEETHER tools on all contracts for analysis

4. Find possible arbitrage opportunities, such as buying a Token from Contract A at the price of X and then selling it at Contract Y at Y (Y is greater than X). The entire process is automated and legal.

5. The tool will generate a list of transactions that may generate revenue

6. The script automatically executes and starts these transactions

In essence, that magical transaction is triggered automatically, even he does not know what happened. As for whether the behavior of wojak itself can be defined as "hacking" or "illegal", we will not delve into it here.

Interested in studying this "wealth password" please see:


As of press time, Tronbank has announced the completion of the collection of investment data on the chain, after the completion of the statistics will be issued according to the original plan to pay TRX. In addition, TSC developer Khanh has closed personal Twitter and Facebook.

Source: DappReview