On-Chain Forensic Audit

Mission 70

NNS Proposal #140538 · February 28, 2026
All data pulled from canister bzchk-oyaaa-aaaae-ae4eq-cai

⚠ Executive Summary

76% of ICP withdrawn (115.8 of 152.5 ICP) and 80% of votes (1,168 of 1,522) originated from sybil farms funneling to 27 wallets. The top wallet controlled 100 fake principals and extracted 20 ICP.

01 — Platform Metrics

1,522

Total Votes

2,435

Page Views

1,454

Withdrawals

152.5

ICP Withdrawn

313

Unique Wallets

14.4h

Vote Window

0.01

Final Payout (ICP)

Treasury Remaining

Payout started at 0.15 ICP/vote, reduced to 0.01 as treasury depleted. 95.5% of voters withdrew — consistent with bot farming.

02 — Vote Breakdown

1,027

Dom (67.5%)

495

Snassy (32.5%)

105.8

Avg Votes / Hour

378

Peak Votes / Hour

Feb 27, 2026 — 00:26 to 14:49 UTC. Contract enforced 1 vote per principal. No double voting possible.

03 — Hourly Distribution

Hour	Votes	Dom	Snassy
00:00	5	3	2
01:00	16	11	5
02:00	84	39	45
03:00	68	35	33
04:00	15	11	4
05:00	53	21	32
06:00	71	52	19
07:00	126	115	11
08:00	208	168	40
09:00	245	159	86
10:00 🚨	378	246	132
11:00	237	155	82
12:00	6	4	2
13:00	3	2	1
14:00	7	6	1

86% of all votes landed in a 5-hour window (07:00–11:59 UTC). The 10:00 hour alone — 378 votes, 24.8% of the total — marks the bot farm's peak operating window.

04 — Withdrawals

Amount Breakdown

Amount	Count	%	Total ICP
0.2 ICP	1,388	95.5%	277.6
0.5 ICP	54	3.7%	27.0
0.01 ICP	12	0.8%	0.12

Destination Analysis

Sybil wallets: 27 destinations
1,168 withdrawals (80.3%) → ~115.8 ICP (76%)

Legitimate: 286 destinations
286 withdrawals (19.7%) → ~36.7 ICP (24%)

05 — Top Sybil Wallets

#	Destination	Fake Voters	ICP Drained
1	eu2ey-qbmck-ojxvf-ba...tae	100	20.0
2	ptxh5-rxa6z-ij4hr-uu...mae	68	13.6
3	3k33o-vtzmp-nqxlk-ax...6qe	62	12.0
4	xatny-4jnrt-xbgdb-tp...6qe	54	10.8
5	k4a3n-an4te-lpwag-jb...jqe	47	9.4
6	ibejy-yuclw-73bav-f7...vae	43	8.6
7	stt3n-z3yd5-vpcqo-uz...nqe	37	7.4
8	l5r3v-nx5ik-hrn7o-n2...bae	30	6.0
9	6ufgq-m74qb-xwpu7-lq...5qe	27	5.4
10	q6har-zaqy2-lg3ie-ms...zqe	25	5.0
11	ozlqg-kjy7r-l63ms-z5...4ae	24	4.8
12	njfun-bzm6s-pf5du-zy...cae	21	4.2
13–27	15 additional wallets	60	8.6

06 — Sybil Vote Direction

820

Sybil → Dom

348

Sybil → Snassy

Outcome Without Sybils

Scenario	Votes	Dom	Snassy	Dom %
All votes (raw)	1,522	1,027	495	67.5%
Sybil only	1,168	820	348	70.2%
Legitimate (est.)	354	207	147	58.5%

Dom still wins 58.5% to 41.5% among legitimate voters. Sybils amplified the margin but did not change the winner. The primary goal was extracting ICP from the treasury, not influencing the outcome.

07 — Temporal Attack Patterns

124

Sub-Second Pairs

210

Rapid Pairs (<2s)

Burst Windows

12/min

Peak Rate

124 sub-second pairs — two principals voting within <1s. No human can create a wallet, connect, and vote that fast.
33 burst windows — 10+ votes within 60 seconds, concentrated 10:00–11:30 UTC.
Peak sustained rate: 10–12 votes/min during 10:43–11:30 UTC.

08 — Vulnerabilities

Vulnerability	Severity	Impact
No identity verification (II)	CRITICAL	Unlimited free principals
No account age requirement	CRITICAL	Instant bot voting
No stake requirement	CRITICAL	Zero cost sybil creation
Direct ICP payout per vote	HIGH	Financial incentive to farm
No withdrawal destination limits	HIGH	Rewards funnel to one wallet
No rate limiting	HIGH	12 votes/min unthrottled

Attack economics: Cost to attacker: ~0 ICP. Revenue: ~115.8 ICP. Near-infinite ROI — the only cost was compute time to run the script.

09 — Prevention Framework

Tier	Defense	Blocks
1	Account age gate (30+ days), rate limit, withdrawal cooldown	Fresh bot accounts, rapid scripts
2	Internet Identity verification (1 human = 1 vote)	Most sybil farms (~90%)
3	On-chain raffle with dedup + randomized selection	Treasury drain incentive
4	Stake-to-enter + destination withdrawal cap	Economic sybil entirely

10 — Canister Verification

Component	Canister ID	Status
Mission70 Backend	bzchk-oyaaa-aaaae-ae4eq-cai	Running
Mission70 Frontend	a2oom-2aaaa-aaaae-ae4ca-cai	Running
PP Terminal Subs	qoixt-7yaaa-aaaam-ahgla-cai	Running
Token Oracle	s77ts-eaaaa-aaaag-axa4q-cai	Subnet Stalled

Data methods: getAllVotes() → 1,522 records · getWithdrawalLog() → 1,454 records · getResults() → live tally

NNS Proposal #140538: ADOPTED & EXECUTED — 90.2% YES, 360.8M ICP voted. The NNS neuron vote is completely separate from this canister vote and was not affected by sybil activity.