An unknown user lost $140,000 in Uniswap tokens after they were deposited into the UniCats project’s pool. The full story was uncovered by ZenGo researcher Alex Manuskin.
\n
If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
\n1/
\n👇 pic.twitter.com/QltkevnzDY\n
— Alex Manuskin (@amanusk_) October 5, 2020
\n
\n
The expert notes that a certain Joe stumbled upon a quirky yield-farming scheme called UniCats.
\n
With thoughts that it could replicate the success of yEarn Finance (YFI), the user decided to deposit some UNI.
\n
He received the familiar MetaMask prompt: “Allow this dapp to spend your UNI.” Joe, assuming this was standard practice among similar DeFi protocols, approved it.
\n
\n
Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not 🤷♂️”
\n
And approves the transaction pic.twitter.com/qhghToDC0s
\n
— Alex Manuskin (@amanusk_) October 5, 2020
\n
\n
Having minted a few MEOW tokens, he withdrew UNI.
\n
“Jhon doesn’t realize that once you approve the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.”
\n
\n
What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
\n
— Alex Manuskin (@amanusk_) October 5, 2020
\n
\n
The creators of UniCat designed a backdoor into the smart contract. The attackers carried out two transactions of 26,000 (~$94 000) and 10,000 UNI (~$38 000). The hypothetical Joe turned out not to be the only victim.
\n
\n
Jhon loses 26K UNI, and then another 10K UNI while they sleephttps://t.co/ujtcoqjD2lhttps://t.co/krCBzjX3A1 pic.twitter.com/jbqgTAC6zN
\n
— Alex Manuskin (@amanusk_) October 5, 2020
\n
\n
“$140 000 — this is only from one victim. The criminals made at least another $50 000 from the others. The real amount could be higher. It’s difficult to estimate, as withdrawals were carried out in separate transactions,” the researcher explained in an interview with Decrypt.
\n
Manuskin added that he had not encountered this kind of attack in a DeFi project before. He explained that a similar situation occurred with the Bancor contract, but there it was a vulnerability, not a deliberately installed backdoor.
\n
The researcher emphasizes that the UniCat administrators devised a cunning scheme. To cover their tracks, for each new victim they create a new smart contract and assign it ownership of the pool.
\n
Each new contract siphons off a portion of the funds, swaps them on Uniswap, and forwards them to addresses owned by UniCat. The stolen ETH are then moved to the Tornado Cash mixer in batches of 100 ETH.
\n
\n
Each new contract fishes out some funds, swaps them on Uniswap, and passes them to and address owned by UniCat. Stolen ETH are then moved into @TornadoCash , in bulks of 100ETH before moving on to the next victimhttps://t.co/N8A4ULC2tp
\n
— Alex Manuskin (@amanusk_) October 5, 2020
\n
\n
“Jjo wakes up to figure out that half of their UNI holdings are gone, swears off farming, and moves all their funds out of the account. UniCat continues to fish for more victims”, ends Manuskin’s story, adding a couple of tips on how not to repeat this experience.
\n
\n”}