The decentralized trading landscape faced a stark reminder of its security vulnerabilities this week as Banana Gun, a popular Telegram-based trading bot, confirmed a $3 million exploit targeting high-profile cryptocurrency traders. The incident, which affected 11 users across both EVM and Solana blockchains, highlights the growing risks associated with third-party messaging platform integrations in DeFi workflows.
The Exploit Mechanics
According to the Banana Gun development team, the attack vector originated from a vulnerability in the Telegram message oracle that the platform uses to communicate transaction data between users and the bot interface. Attackers exploited this weakness to initiate manual fund transfers from victim wallets while users were actively interacting with the bot. The nature of the transfers—manual rather than scripted—suggests a sophisticated, targeted approach rather than an automated drain.
Victims received in-bot notifications of the unauthorized transfers, confirming that the exploit operated through the legitimate notification channel itself. The attacker specifically targeted smart money traders and crypto veterans, indicating a deliberate selection process rather than random victimization. Blockchain investigator ZachXBT was among the first to flag the suspicious activity on September 25, 2024.
Affected Systems
The breach impacted users operating across multiple blockchain ecosystems. Banana Gun functions on both EVM-compatible chains and Solana, meaning the vulnerability was not chain-specific but rather inherent to the bot’s oracle communication layer. Initial reports estimated losses at $1.9 million before the full scope of the attack became clear, ultimately totaling approximately $3 million in stolen digital assets.
At the time of the incident, Bitcoin traded near $63,143 while Ethereum hovered around $2,579, meaning the stolen funds represented a substantial amount of native cryptocurrency. The attack joins a growing list of September 2024 security incidents, including the $27 million Penpie reentrancy exploit and the $21 million Indodax exchange breach earlier in the month.
The Mitigation Strategy
Banana Gun responded swiftly to the discovery. The team patched the identified oracle vulnerability and implemented several enhanced security measures. A mandatory two-hour transfer delay was introduced for all withdrawals, providing a window for users to detect and cancel unauthorized transactions. Additionally, the team announced plans to implement two-factor authentication for all transfer operations.
Beyond these immediate fixes, Banana Gun conducted a comprehensive audit of both back-end and front-end systems. The entire back-end infrastructure was redeployed on new servers, eliminating any potentially compromised environments. The platform also engaged Security Alliance, a leading Web3 security firm, to conduct a thorough independent investigation of the incident.
Lessons Learned
The Banana Gun exploit underscores a critical vulnerability category that receives insufficient attention: the security of oracle layers connecting user interfaces to blockchain operations. While smart contract audits have become standard practice, the intermediary systems—particularly those relying on centralized messaging platforms like Telegram—often escape the same scrutiny.
According to Chainalysis data, hacking activity surged in 2024 after a 50% decline in stolen cryptocurrency values during 2023. Two categories of crypto crime—stolen funds and ransomware—continue to defy the broader downward trend in illicit activity. North Korean-linked hacking groups remain responsible for some of the largest thefts, though the Banana Gun incident appears to be the work of a different threat actor given its manual, targeted methodology.
User Action Required
Users who interact with Telegram-based trading bots should take immediate precautions. Revoke any unnecessary token approvals, enable all available security features including transfer delays and two-factor authentication, and consider using dedicated hardware wallets for large holdings rather than keeping funds in bot-connected hot wallets. The rise of permit phishing signatures—where malicious actors trick users into granting unauthorized wallet permissions—makes vigilance essential when approving any transaction through third-party interfaces.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before interacting with any DeFi protocol.
a Telegram oracle vulnerability letting attackers manually drain wallets while users are in the app. thats a design flaw, not a bug
manual transfers while the user is in the app is next level. hardware wallet wouldnt even help if you approved the session
nina is right, the manual transfer while the user is active in the app means they probably approved something seconds before without realizing
thats the scary part. you approve a session for trading convenience and the oracle vulnerability turns that into a drain path. convenience is the enemy of security in defi
targeting exactly 11 smart money traders across EVM and Solana is not random. this was a planned operation with reconnaissance
11 targets across EVM and Solana. the attacker had to know which wallets had active bot sessions. thats inside info or recon work
11 users across EVM and Solana. the attacker knew exactly who had money in the bot. inside info or surveillance on whale wallets
trusting a telegram bot with active wallet permissions is asking for trouble. hardware wallet + manual swaps only at this point
revoke.cash should be bookmarked by anyone touching defi. half the people using telegram bots probably never even checked what permissions they granted
oracle vulnerabilities are the silent killer in bot-based trading. everyone focuses on smart contract audits and forgets the message layer between telegram and the chain is just as exposed