A user of Uniswap lost more than $8 million priced Ether. It was after one attacker made use of a malicious airdrop contract for targeting liquidity providers of the project. Such fraudulent airdrop provided 400 UNI tokens for free priced at nearly $2000. Users were told to connect their cryptocurrency wallets for claiming funds. Yet this sophisticated campaign of phishing saw many attackers make off with more than 7500 Ether. Also, are you looking for a safe crypto trading platform to invest in Bitcoin? Then check out Bitcoin Trader.
Hayden Adams, the Uniswap founder confirmed a few things. He said that the phishing attack caused some LP NFTs to get siphoned from users approving malicious transactions. Hackers targeted Uniswap v3 protocol’s liquidity providers. It was for executing one elaborate campaign of phishing. Over $8 million in Ethereum was predicted to get lost so far in this attack.
Target towards Uniswap v3 protocol LPs
Harry Denley, the security analyst of Metamask first detected this incident. He found that 73,399 addresses received one malicious token named UniswapLP. It was for targeting their assets under the pretext of the airdrop of one false UNI token.
The malicious smart contract code was deployed upon Etherscan. It was not at all verified. It is something that legal projects will always do. Information in this smart contract then led to one site purporting to let users swap their new tokens for $5.34 each worth of Uniswap. This message claimed to airdrop these UNI tokens to some liquidity providers depending on the total fake LP tokens that they got.
Related Post
This malicious token that was sent to the victims looked like coming from a legal ‘Uniswap V3: Positions NFT’ contract. It was by manipulating the ‘From’ field in the transaction explorer of the blockchain. The site that bad actors host would then be reading sensitive user data and stealing funds from those wallets.
A liquidity provider is the one providing their cryptocurrency assets to one platform for helping with trading decentralization. In return, they get rewarded with fees that get generated by trades on that platform. It is a passive income form.
After deployment, users were tricked by the hacker to sign a transaction that provided the hacker complete access to all LP tokens of Uniswap that the user holds. It is due to the phishing message permitting the underlying smart contract to transfer assets out of it. Also gaining complete control of the wallet of a user.
The entity behind such an attack is said to be part of a very sophisticated attack. It roughly targeted 73,399 addresses by sending one malicious token. Changpeng CZ Zhao, the CEO of Binance predicted that almost $4.7 million priced Ether got drained in this attack. Yet crypto tracking along with compliance platform MistTrack revealed that 7500 Ethereum is the number of stolen funds. It then got laundered through Tornado Cash, a cryptocurrency mixing service in 100 total transactions.
The creator of Uniswap Lab confirmed that the hacker impersonated the official site. The hacker also deceived the LP provider to sign malicious transactions. This protocol yet has never been exploited.
Phishing attacks are increasing
Web20style attacks like phishing campaigns are wreaking havoc in the landscape of Web3. Many phishing sites impersonate Stepn. It is a Web3 lifestyle app that is Solana-based. It got detected in April. Of late, OpenSea sent a report of a data breach. It impacted the personally identifying information of customers who subscribed to the mailing list. Customers were warned of prospective phishing attempts.
As per a new report by one renowned blockchain and DeFi security-focused platform named Certik, there is an increase in phishing attacks by nearly 170 per cent in the past quarter. It underscored that social media platforms have come out as one significant pain point for projects of Web3. Throughout quarter two, Certik was seen to record 290 attacks in comparison to 106 in this year’s 1st quarter.
Conclusion
As per Etherscan’s data, over 74000 wallets interacted with the smart contract phishing scam till now. A person who has been providing more than $8 million priced wrapped Bitcoin and USDC to one wrapped Bitcoin/USDC liquidity pool interacted unknowingly with this phishing message. This attacker then earned wallet control. He then exited the positions of the LP and withdrew every liquidity from Uniswap. Data from blockchain also showed that the attacker started to move stolen funds via Tornado Cash, the privacy protocol.
