Gladius Network Fraud (Pt. 7a)

BY INVESTIGATION.HASH.FAIL

Gladius Network Fraud (Pt. 7a)

From this point, ‘Address Statistics’ of 0x197f48540296b76cabe1b7c27f35767338084e03 were observed on Bloxy (see here).

In specific, the following metrics were obtained:

  • Currencies sent, transactions by month

  • Currencies Received by Address

  • Currencies Sent By Address

  • Function Calls by Address

  • Smart Contract Calls (Count by Month)

  • Contract Calls by Address*

  • References to the 0x197f48540296b76cabe1b7c27f35767338084e03 address by months

  • Smart Contracts Referenced in Event/Function Calls

  • All regular transactions related to 0x197f48540296b76cabe1b7c27f35767338084e03

  • All smart contract (token/ERC20) related transactions involving 0x197f48540296b76cabe1b7c27f35767338084e03

Below is an embedded airtable that compiles all of these metrics for the sake of saving space.

Data for the table above was aggregated from both Etherscan and Bloxy with reference information gleaned from a number of cited sources of documentation on Solidity and smart contract execution/creation/function that should answer relevant questions.

Connections to the 0x197f48540296b76cabe1b7c27f35767338084e03 Address

A simply way to find out this information is to trace all of the transactions in which this address created a smart contract.

Below is a list of smart contract addresses created by 0x197 :

  1. 0xf96aeb3cbe23fa29ddde0759eed5061342064031

  2. 0x57bfffd48366f78e787e167419c8c05cdb849ede (labeled Gladius: Token Sale; created on October 14th, 2017)

  3. 0x6b48744123363fbe8ed94b6b1c8d608c2a147ffb (Created 11/5; Error Warning on Etherscan indicating gas ran out during contract creation attempt — resulted in a failed attempt)

  4. 0x71d01db8d6a2fbea7f8d434599c237980c234e4c (Primary Gladius Token Contract; Created on November 5th, 2017)

In addition, it appears that this address received transactions from:

Analyzing the addresses above yields a number of wide-ranging conclusions. However, rather than listing them all, this report will continue by first looking at the general crowdsale address (where funds were collected) for Gladius Network.

That address can be found here: 0xaaf4281fd8142dc3263b3303b0a6f62d00b2d07e (notably this was the last address created after the Gladius Token address was created on November 5th).

Analyzing the Gladius Network Crowdsale

Let’s take a look at the contract below:

https://bloxy.info/address/0xaaf4281fd8142dc3263b3303b0a6f62d00b2d07e

In the picture above, there is a ‘beneficiary address’ attached to the crowdsale — which provides yet another lead and addition to the 17 addresses identified above (excluding Gemini) that were created by Gladius Network.

Specifically, the “beneficiary address” = 0x38fe864dcb9cb039c7f3d0adc0a7efeb9c864cd9

Notably, this beneficiary address is a multisig smart contract address that was originally created by 0xc19fd2748a4d5d7906a3fb731ff6186fe526cc28 (yet another address that was not listed above).

It is worth noting that the beneficiary address was not officially added as a beneficiary address (April 23rd, 2018) until several months after the Gladius Network crowdsale address was implemented.

Going Back to the GLA Crowdsale Address

Given the fact that there are smart contract addresses that have already been identified as being affiliated with Gladius Network that were created before November 5th, 2017, it is worth sifting through publicly available information online to see when the crowdsale actually took place and how many, if there was more than one, that took place.

Given the fact that there were a host of smart contract addresses created between October 13th-15th, 2017, before another batch was released on November 5th, 2017, it appears highly likely that there was a private sale/presale before the ‘official’ ICO was launched.

In searching for corroborating information, a few noteworthy excerpts were found that confirm this hypothesis.

Specifically, a number of social media posts from Gladius Network’s own Twitter profile corroborate that there was a ‘pre-sale’:

Gladius Network@gladiusIO

Public Pre-sale is still going. We need your support.

Join: https://gladius.io/join-ico Whitepaper: https://gladius.io/pdf/gladius-whitepaper.pdf …#ICO #Token #TokenSale #Blcockchain #Cryptocurrency #Bitcoin #Ethereum

282

4:00 PM - Dec 2, 2017

Twitter Ads info and privacy

280 people are talking about this

Source: https://twitter.com/gladiusio/status/937048737930657793

What’s also notable is that the post above states that the public pre-sale was still active. This distinction raises the question of whether there was a private pre-sale.

That question can be answered via further smart contract analysis as well as additional online investigation.

With regards to the latter technique of online investigation, a cursory search reveals the following tweet by Gladius Network indicating that there was a pre-sale before the public sale:

Gladius Network@gladiusIO

🔔 Private Presale Extended Till Nov. 23 🔔 NEW Public Presale Nov. 24th with awesome rates! 🔔 https://medium.com/@gladiusio/gladius-presale-has-been-extended-new-public-presale-coming-soon-and-more-50cc657d8d90 …

Gladius Presale Has Been Extended, New Public Presale Coming Soon, and more!

Hello everyone in the Gladius community! We have a few important updates to share about our token sale.

medium.com

329

6:20 PM - Oct 31, 2017

Twitter Ads info and privacy

339 people are talking about this

https://twitter.com/gladiusio/status/925487578052222976

Even more information about private pre-sale can be found in the following post on the Gladius Network ANN thread (from bitcointalk.org):

https://bitcointalk.org/index.php?topic=2217711.175

The post above was submitted on October 31st, 2017 and it states:

“We have decided to prolong the current funding period, the private presale, by 23 days until November 23rd for a number of reasons”

Surprisingly, even the Medium article by Gladius Network regarding the private sale (which was also posted on October 31st, 2017) is still active at the time of writing and can be found here.

Below are some screenshots from the article:

With the above in mind, the next part in this segment will feature us returning to Bloxy to see what information we can glean from Gladius Network’s ‘private presale’.

As noted before, the contract that is currently being examined was created on November 5th, 2017.

Above, we can see that this contract address received 20,237 Ethereum via 1,556 contributions to this address. The other entries are irrelevant.

In addition, on the right side of the page, the ‘whitelist’ option is boxed in red to show that the number of addresses that were whitelisted matches those that contributed to the private pre-sale.

Thus, it can be said with near certainty that these 1,556 addresses are contributors to the Gladius Network ICO.

Upon clicking the link we arrive at this page:

At this point, the most useful tool for analysis would be the website, ‘Etherscan’, because it allows for a CSV download with corresponding prices at the time of transfer.

Etherscan will allow us to retrieve the following information:

  • Total Ethereum collected by Gladius Network at this crowdsale address

  • Value of Ethereum at the time of transfer

  • Value of the Gladius Network token at all stages of the sale [private presale/public presale/public sale(?)]

  • An aggregate list of all wallets that contributed to the contract address

And several additional metrics if so desired.

Before doing so, further analysis on the contract itself must be conducted.

The smart contract address reviewed above can be found here on Etherscan.

At the beginning of the transaction history, this can be seen:

Source: https://etherscan.io/txs?a=0xaaf4281fd8142dc3263b3303b0a6f62d00b2d07e&p=61

The Ether values are ‘0’ because various functions are being called. As Bloxy recorded, the smart contract that was reviewed prior, on November 5th, 2017.

These transactions are as follows (oldest to most recent):

  1. Establishing smart contract crowdfund parameters [Function: setup(uint256 _start, address _token, uint256 _tokenDenominator, uint256 _percentageDenominator, uint256 _minAmountPresale, uint256 _maxAmountPresale, uint256 _minAcceptedAmountPresale, uint256 _minAmount, uint256 _maxAmount, uint256 _minAcceptedAmount)]

  2. Establishing various distribution and lock-up periods [Function: setupPhases(uint256 _baseRate, uint256[] _phaseRates, uint256[] _phasePeriods, uint256[] _phaseBonusLockupPeriods, bool[] _phaseUsesVolumeMultiplier)]

  3. Establishing payout periods for various stakeholders [Function: setupStakeholders(address[] _stakeholders, uint256[] _stakeholderEthPercentages, uint256[] _stakeholderTokenPercentages, bool[] _stakeholderTokenPayoutOverwriteReleaseDates, uint256[] _stakeholderTokenPayoutFixedReleaseDates, uint256[] _stakeholderTokenPayoutPercentages, uint256[] _stakeholderTokenPayoutVestingPeriods)]

  4. Establishing the whitelist for the crowdsale [Function: setupWhitelist(address _whitelist)]

The fifth transaction (after the smart contract TX) is perhaps the most interesting one because it ties in three wallet addresses that were previously unidentified up to this point.

Source: https://etherscan.io/tx/0x762fa58344c0b32f5c6f97c78e6975a960b7766037cc3e8958ca2cd99a6762ae

In order to ‘decode’ what functions were called in the above-listed transaction, the ‘state changes’ must be viewed on EtherScan:

https://etherscan.io/tx/0x762fa58344c0b32f5c6f97c78e6975a960b7766037cc3e8958ca2cd99a6762ae#statechange

From there, it can be observed that there are three separate ‘storage’ addresses that were designated for the primary Gladius Network contract.

What this means in laymen’s terms are that there were three additional smart contracts that were created in this contract.

The addresses of each are shown below:

https://etherscan.io/tx/0x762fa58344c0b32f5c6f97c78e6975a960b7766037cc3e8958ca2cd99a6762ae#statechange

The addresses are:

These addresses have already been identified in the list of smart contracts created by Gladius Network in the prior section. However, their purpose as it relates to the ‘bigger picture’ of the Gladius Network system and token sale have not been analyzed thus far.

Analyzing the Addresses Above

A search of the first address on Etherscan leads to this page:

https://etherscan.io/address/0x1a0987a5c068ec6ce645bb897d8de4c82281deae

Some relevant details about this wallet address:

  • Etherscan shows 6,891 TX (all kinds) for this address.

  • The last TX was on January 23rd, 2018 (first transaction was on October 14th, 2017, which established this address as a smart contract).

  • The address that created this contract is the same address that created the Gladius crowdsale contract.

Brief Analysis of the Contract Itself

Below is a screenshot of the page on Etherscan that contains the actual code for the contract:

https://etherscan.io/address/0x1a0987a5c068ec6ce645bb897d8de4c82281deae#code

As can be seen in the photo above, the address currently being examined was established to whitelist participants.

The source code for this address can be found here (Zerononcense uploaded this): https://pastebin.com/6LzpQFCf ; however, the features on Etherscan’s website ease the burden of analysis significantly.

There is nothing remarkable about the contract, but for those that are curious, a code audit can be found here: https://tool.smartdec.net/scan/f09ee57a95ff408ebcbcea7f422557c2

Given what was dissected above, outlining Contract 0x1a0987a5c068ec6ce645bb897d8de4c82281deae’s primary purpose as a means of white labeling contributors for the Gladius crowdsale contract, the expectation is that all of the transactions related to 0x1a0987a5c068ec6ce645bb897d8de4c82281deae be functions that add addresses to the whitelist.

By reviewing the contract’s details on Bloxy, the following can be seen:

There is a notable discrepancy between the number of addresses that were whitelisted for the crowdsale through the 0x1a0987a5c068ec6ce645bb897d8de4c82281deae contract address set up by Gladius and the accounts that were ultimately added to the Gladius crowdsale.

Further inspection shows that, out of the 6,883 total addresses that were added to the whitelist contract, 1585 were authenticated.

Another point of interest is the ownership being transferred three times, as seen below:

https://bloxy.info/txs/calls_sc/0x1a0987a5c068ec6ce645bb897d8de4c82281deae?signature_id=139

The three ownership addresses are (in order):

  1. 0x197f48540296b76cabe1b7c27f35767338084e03 (Master Address for Gladius)

  2. 0xc19fd2748a4d5d7906a3fb731ff6186fe526cc28 (Ownership Address 2)

  3. 0x96ae477ad5b02921846c201403e3a300f5084423 (Ownership Address 3)

As noted before, the first address listed above is the original creator of the Gladius crowdsale contract as well as the whitelisting contract. This address has been dubbed as ‘Master Address for Gladius’ for simplicity’s sake.

The latter two addresses have yet to be unearthed in this ICO crowdsale analysis, save for the fact that 0xc19 (second address) was mentioned as the creator of the beneficiary address (0x38fe864dcb9cb039c7f3d0adc0a7efeb9c864cd9).

For the sake of semantics and clarity, they have been labeled, ‘Ownership Address 2’ and ‘Ownership Address 3’.

Ownership Address 2 (0xc19fd2748a4d5d7906a3fb731ff6186fe526cc28)

Below is a snapshot of the wallet address at the time of writing on Etherscan:

importPresaleContribution Function

In analyzing the second ownership address for Gladius, a very unique function was discovered, called the ‘importPresaleContribution’ function.

According to Bloxy, this function has only been called 27 times among all Ethereum smart contracts ever created, and each of those times was in relation to the Gladius Network Token Contract(s).

https://bloxy.info/functions/d01ec886

Worthy of note is the block at the bottom of the page on the image directly above that has the header, ‘_Top contributor arguments for importPresaleContribution’.

In total, this function was called 26/27 times by Ownership Address 2 and the reason why this is important to note is because there is a highly obfuscated and confusing distribution of tokens that stem from the use of this unique function.

Below is a picture of the first time that Ownership Address #2 called the function ‘importPresaleContribution’:

https://bloxy.info/tx/0x1e18580bcd5ec454dadd5be9fef9e16502fe360187a8014f29bc1be5b476ba13

Deconstructing the Function Call

In order to get a better idea of what is going on when this function was called by Ownership Address 2, the diagram posted above will be stripped to its ‘bare bones’, in an attempt to reverse engineer what’s going on.

Specifically, on Bloxy, this will be done by unticking the ‘Smart Contract Calls’ and ‘References’ options directly above the graph.

See below:

Above, a transfer of 17,000GLAtokenscanbeseengoingto0x197(GladiusMasterAddress)viatheprimaryGladiusTokenContract(GLA tokens can be seen going to 0x197 (Gladius Master Address) via the primary Gladius Token Contract (GLAtokenscanbeseengoingto0x197(GladiusMasterAddress)viatheprimaryGladiusTokenContract(GLA).

From here, the ‘smart contract calls’ filter will be applied:

In the picture above, we can see that:

  • 0xc19fd (Ownership Address #2) initiates the transaction with the call to ‘GLA Crowdsale’ (0xaaf4281fd8142dc3263b3303b0a6f62d00b2d07e). Since there are two smart contracts (identified via gear icons in the picture above), this address will be called ‘GLA Crowdsale #1’.

  • After this action takes place, there are two events that transpire on the blockchain in accordance to the instructions given by 0xc19 (Ownership Address #2) to 0xaaf (GLA Crowdsale #1).

  • Those two events involve the transfer of funds (17k $GLA) [Event #1] to the Gladius Token Contract (0x71d), followed by 17k $GLA traveling from the Gladius Token Contract (0x71d) to 0x197 (Gladius Master Contract)

It should be noted that the only legitimate Gladius Network Token (i.e., the only redeemable version of Gladius Network on publicly traded networks) is 0x71d01db8d6a2fbea7f8d434599c237980c234e4c.

On the chart above, there is another iteration of the Gladius Network Token contract that is also involved in the sale that has the address: 0x4632d1c31c5d9e28e84eae0173b3afc9aca81ac8

As noted before, address 0x4632, known as the Gladius Token Address (below), was also created by the Gladius Network Master Address.

In addition, there is an alternate GLACrowdsale, TokenSale address listed on the chart below as well.

Below, is a diagram of the same transaction outlined above, except with references attached to it as well:

As can be seen above, the transaction path becomes extremely obfuscated.

In order to gather more information about the distribution of funds in this token sale, the website, ‘aleth.io’ will be consulted.

When plugging in this particular transaction in aleth.io, we can view the following:

https://aleth.io/tx/0x1e18580bcd5ec454dadd5be9fef9e16502fe360187a8014f29bc1be5b476ba13

What is most relevant are the contract messages, token transfers, and log entries (as well as the graphs option, which will also be viewed and analyzed).

Below are the Contract Messages:

In the picture above, we can see that 0xaaf (Original GLA Crowdsale Address) was responsible for sending making calls to:

  • 0x4632d1c31c5d9e28e84eae0173b3afc9aca81ac8 (Alternate Gladius Token)

  • 0x57bfffd48366f78e787e167419c8c05cdb849ede (Alternate GLA Crowdsale Smart Contract)

  • 0x71d01db8d6a2fbea7f8d434599c237980c234e4c (Gladius Token)

The log entries show the following:

As can be seen above, there are two different token transfers that occur in this transaction.

One of those token transfers is to the 0x197f address (Gladius Master Contract owner) and the other is to 0x71d0, which is the Gladius Token Address.

The only other entity that could be transferring tokens to the 0x71d0 address would be the pseudo-Gladius Token Address (0x463) contract address depicted above.

However, the tokens aren’t being transferred from the prior contract. Instead, the function ‘balanceof(Who’ was called in order to ascertain how many tokens had been distributed from the prior iteration of the Gladius Token Sale contract (0x463) to pre-sale purchasers.

Thus, it appears that the former Gladius Token Contract (0x463) was used as a place marker for the eventual Gladius Token Contract.

Tracking All Recipients of the ‘importPresaleContribution’ Function

To map out the flow of token transfers in a more concise manner, Zerononcense has created a table that contains the following information from the function ‘importPresaleContribution’ with regards to token transfers initiated by 0xc19fd:

Breaking Down Funds Actually Earned By Gladius

The reason for the extensive analysis into Gladius Network’s wallets, provided above, was to get to the heart of the questions of, ‘How much did Gladius Network truly raise in their ICO?’

According to the SEC (and many other public sources), Gladius Network raised a total of approximately $12.5 million in their token sale.

However, further investigation into the wallets owned by Gladius Network yields a slightly different total.

Below is a list of smart contract addresses created by 0x197 :

  1. 0xf96aeb3cbe23fa29ddde0759eed5061342064031 (no funds)

  2. 0x57bfffd48366f78e787e167419c8c05cdb849ede (labeled Gladius: Token Sale; created on October 14th, 2017)

  3. 0x6b48744123363fbe8ed94b6b1c8d608c2a147ffb (Created 11/5; Error Warning on Etherscan indicating gas ran out during contract creation attempt — resulted in a failed attempt)

  4. 0x71d01db8d6a2fbea7f8d434599c237980c234e4c (Primary Gladius Token Contract; Created on November 5th, 2017)

While the list above is formidable, the time and analysis required to answer the question of how much was raised (in Ethereum) by Gladius Network during their numerous sale phases (private presale/public presale/public sale), we will start with the first contracts that were formed by Gladius.

[Warning: The Following Section is Incomplete!!!]

Preliminary analysis shows that, between the tokens and

Analyzing the Gladius Network Master Token Address (0x197f48540296b76cabe1b7c27f35767338084e03)

Below are the internal transactions going from this wallet address:

#1 — Analyzing Funds Going to the Pre-Sale Gladius Token Contract (0x57bfffd48366f78e787e167419c8c05cdb849ede)

Going back to the Presale Gladius Token Contract, we can see below that it received 3,740.67 Ethereum (internal transactions):

https://etherscan.io/address/0x57bfffd48366f78e787e167419c8c05cdb849ede#internaltx

The transactions above that are circled in blue will not be credited as outgoing from this address because they are being sent to another address that is already on the list of wallet addresses provided above. This is being done specifically to avoid double counting any transactions.

Apart from the other outgoing transactions going to 0x38f and 0x197, it appears that the 0x201f2 smart contract address has been used to receive funds from 0x57 in addition to several others.

Thus, it has been added to the list of wallets to analyze.

In total, the 0x57 address received

One very unique function that was encountered while breaking down the Gladius Token can be found here: https://bloxy.info/tx/0x33256753d047898ec9be286cfc40d11dea4ad8f28554c2d08d672dbc72b03b6f

The function is called ‘importPresaleContribution’ and 0xc19fd2748a4d5d7906a3fb731ff6186fe526cc28 (address) was used to call the function.

That address also belongs to Gladius. The 0xc19fd2748a4d5d7906a3fb731ff6186fe526cc28 in specific is the second address that received ownership of Gladius’ whitelisting address (0x1a0987a5c068ec6ce645bb897d8de4c82281deae).