Banana Gun acknowledged the attack on Twitter and shut down the bot. They posted that they did not believe their backend was compromised, and stated that they believed the attack occurred via a "front-end vulnerability" — though it was not clear what this might have referred to.
Almost $2 million taken from users of Telegram "Banana Gun" crypto trading bot
Some people use a Telegram-based crypto trading bot called "Banana Gun" to "snipe" crypto trades, copytrade, and perform other activities. On September 19, at least 11 victims lost around $3 million after their accounts were apparently compromised and drained.
- "Telegram bot Banana Gun’s users drained of over $1.9M", CoinTelegraph [archive]
Banana Gun bot launches token, sparks rug pull fears as they disclose a bug
The team behind Banana Gun, a Telegram bot to help "snipe" token launches, launched a token associated with the project on September 11. Only hours later, they announced in a tweet that they'd uncovered a bug in their smart contract that meant that when people sold tokens, the 4% tax that was meant to go to the project was also kept in individuals' wallets.
The team wrote in an announcement that they had no choice but to sell the treasury wallet to drain the liquidity pool, which is locked to... well, stop the project team from draining the project and rug-pulling. At the time of announcement, the project team had around 950 ETH (~$1.5 million) in the treasury wallet.
Some pointed out that they could simply set the tax to 0% and carry on without the hefty sales tax, but that didn't seem to appeal to the project's creators. Some also speculated that the team might just take the money and run after draining the LP.