Try Quests to earn SOLThe Heist - Daily Ticket Abuse
The daily ticket system of The Heist has been abused by a user that calls himself 'Ticketswhale🐋' I've reached out to the team and action was taken. I'll clarify the different elements of my research in the dashboard below👇
Explanation
The 'Find Daily Ticket Farmers' table displays each 'The Heist' NFT and the number of unique wallets it has ever been a part of, sorted by the amount of wallets.
It's a simple way to track the extreme outliers.
As we can see in the table, there's a few of those.
Daily Moves
When we track the daily moves of the first NFT (3grhirUkasWtitXBy5M1Ud2mzN6SZyozKLFDpc1Jamxd), we can see that the owner started automated testing on Aug 22 and intensified the process on a daily basis.
Eventually ending up with over 2,000 wallets that were farming raffle tickets on a daily basis, rotating between the same set of wallets.
The second wallet
Looking at the daily activity of the second NFT (A7QZ21PKP5oamGzFi7J5Fi9CWnK2TzjY54pxyiLLAenR), we can see strong resemblances to the first case but without the buildup process.
This seems like a perfect copy of the first case. Greed in action.
The third wallet
The setup is structurally different from the previous cases.
No daily repetitive pattern. But then why would this NFT be moved 1,000 times in a single day?
Perhaps another trial, its owner decided it was too obvious and obscured afterwards? This needs extra investigation.
Total Impact
Looking at all the COCO withdrawals made by all wallets owned by TicketsWhale, we can conclude that he/she has withdrawn at least 6.4M COCO from the game.
If any funds were sent, in-game, to wallets that weren't involved in the daily ticket claim, this number might be even higher.
Purely based on on-chain data, it's not possible to determine if this individual participated in any raffles using the acquired funds.
The impact seems to be relatively limited but shows that the daily ticket claim system is in need of some serious changes/extra restrictions.
When money is involved, people will always try to game the system which isn't in agreement with the code of conduct set by The Heist.
This is another call for bringing as much data as possible on-chain to help increase the transparency to any web3 project.
When I'll have more time at hand, I'll try to see if there's a chance to find other, less impactul, actors playing the same ticketing claim game.