A user of Ethereum lost US$ 140,000 in UNI, the governance token of the Decentralized Finance Platform (DeFi) Uniswap, according to Alex Manuskin, from the ZenGo portfolio research team.
Last weekend, the user of pseudonym „Jhon Doe“, came across a new yield farming scheme called UniCats and decided to transfer some UNI tokens to his liquidity pool.
In the process, the Ethereum Code asked permission to spend an unlimited number of tokens – which Doe agreed, as it is a relatively common practice in the DeFi market. After collecting some MEOW tokens, the user took his UNI tokens out of the pool.
Little did he know that the UniCats developer created a backdoor in the smart contract that gave him control over the tokens even after they were removed from the platform.
Kucoin says he found hackers responsible for the $281 million theft
Your data on the Deep Web can be worth thousands of dollars; understand
US$ 130 million of KuCoin hack will be frozen by cryptomoeda companies
„What Jhon doesn’t know is that once you have approved the contract to use [infinite] tokens, the contract can pick up your tokens at any time. Even after they’re removed from the defarm scheme,“ Manuskin said.
Thanks to this backdoor, the creator of UniCats was able to use so-called „setGovernance“ to capture Doe’s tokens. In two quick transactions, the user lost 26,000 and 10,000 UNI – worth about $94,000 and $38,000, respectively. The tokens were exchanged for just over 416 Wrapped Ether (about $147,000) at Uniswap. And Doe was not the only victim.
„The $140,000 is from only one victim. The scammer made at least $50,000 more with other victims. It can be even more, it’s a little hard to quantify because it’s in separate transactions,“ Manuskin told Decrypt.
He added that this is the first time he’s seen this kind of attack used deliberately in far pools, although a similar hack was used against Bancor recently. However, Bancor has suffered an exploit, not an intentional backdoor created by the developers, Manuskin explained.
He also noted that the UniCats developer creates additional intelligent contracts for each new victim to cover their tracks. The developer then moves the stolen funds into the Tornado Cash mixer – a way to make it harder for blockchain analysis companies to track the money.
Manuskin urged users to approve only the tokens they wish to spend – since the approved amount goes to zero after the contract uses it – or revoke access to their funds later.
„Much of the problem is caused by users being complicit in approving infinite amounts, as this is the standard in popular dapps as well,“ he explained to Decrypt, adding that „On the dapp side, they should only consider promotion to allow the necessary amount, even if it causes inconvenience to the user. On the wallet side, the wallets should alert the user that they are giving permission for all their current and future tokens. ”