Inside Job? Wallet That Caused the UST Attack Suspected to Belong to Terraform Labs (Report)

Terraform Labs grabbed the attention of the entire crypto community last month when its two native digital assets deteriorated in days, leaving only a failed restarted project. However, a recent investigation completed by security company Uppsala Security indicated that the wallet behind the attack is connected and managed by Terra itself.

• Last month, Terra’s algorithmic stablecoin (UST) lost its peg (supposed to be redeemable 1:1 with the dollar) and allowed investors to profit by arbitraging it against LUNA. In a matter of days, the prices of both assets plummeted to pennies, and this downfall caused a market-wide panic and sell-off.
• New information continues to emerge frequently regarding what precisely transpired. Most recently, the US and South Korea launched investigations, and numerous watchdogs have outlined plans to incorporate regulations on the industry and stablecoins in particular.
• The first part of the investigation by Uppsala Security shows one address that has been implicated as being responsible for the initial run against UST and its de-pegging.
• The company labeled it “Wallet A” and determined that it could be “owned or controlled by Terraform Labs (TFL) or Luna Foundation Guard (LFG) themselves, or their related parties.”
• The investigation showed several accounts that were somehow involved in what transpired, all linked, including some on Binance and Coinbase, as well as how they transferred UST, USDC, and USDT between each other.

• The first act that triggered the de-pegging occurred when a “wallet associated with TFL removed approximately 150m of UST liquidity from Curve pool.” Later, Wallet A swapped 85m of the algorithmic stablecoin for USDC in the same Curve pool and transferred the new funds to a Coinbase user address, which is hard to follow without the exchange revealing user information.
• Instead, Uppsala Security’s data shows that Wallet A’s funds on the Ethereum mainnet came from the Terra mainnet via the Wormhole. The related wallet on Terra was identified as “terra1yl” (Wallet A(T)).
• Wallet A(T) was depositing UST into a specific Binance account linked to a destination Memo: 104721486. It started receiving UST earlier this year and had obtained almost 124 million UST by May 25, most of which came from Wallet A(T).

“Wallet A(T) deposited a total amount of 108,251,326 UST into Memo: 104721486 on 2022–05–07 alone, the day when the de-pegging of UST began. Total of 10 incoming transactions were made into Memo: 104721486 leading up to 2022–05–07 21:44 UTC, when TFL first removed 150m of UST liquidity from Curve pool, which raises the possibility that Wallet A(T) and Memo: 104721486 may have been aware of the upcoming UST liquidity removal.”

• The first address that transferred UST to Memo: 104721486 was identified as a wallet controlled by LUNC DAO due to a tweet from the team. This address (terra13s) had previously sent 19M LUNA to another one (terra17p), which had transferred 100M LUNA to (terra1gr) – wallet operated by LFG as confirmed.
• Another user wallet on Binance (Memo: 100055002) had received 2,665,579,215 UST until May, and terra13s, as well as terra1t0, were the first and early depositors. The second picture shows more of the connection between all addresses. Commenting on the findings, Uppsala Security CEO – Kim Hyung-woo said:

“As a result of analyzing various on-chain data about the Terra incident, it was confirmed that not only Wallet A but also the wallet connected to it were managed by Terraform Labs and related companies. As it appears to be, there is a need for regulators to investigate related exchanges such as Binance.”