Hackers steal $8 million worth of ETH in latest Uniswap phishing attack after gaining access to LPs via malicious airdrop contract, so let’s take a closer look today cryptocurrency news.
A phishing scam offering a fraudulent airdrop managed to deprive Uniswap users of $8 million in funds and the scam promised a free airdrop of 400 UNI tokens worth $2200. Users were therefore asked to connect their wallets and sign the transaction to claim the airdrop. Prior to login, the hacker grabbed the user’s funds via a malicious smart contract. More than 74,000 wallets interacted with the fraudulent smart contract according to data on Etherscan. The hacker even rolled out the smart contract on July 11.
The code has not been verified for the smart contract that has been deployed to Etherscan, which is what most really legit projects do. After deployment, to collect these airdropped tokens, the hacker tricked users into signing transactions, but that transaction served as an endorsement and gave the hacker access to the Uniswap LP tokens held by the user.
When the user adds liquidity to Uniswap, they can receive LP tokens in return as a representation of the liquidity positions and these tokens can be transferred like other NFTs. Through an approval transaction, the third party can spend funds on behalf of the user. After gaining access to other transactions, the hackers stole $8 million by being able to transfer the LP tokens to his wallet and pulled the liquidity from Uniswap. Hacker earned 7500 ETH from exploit as creator of Uniswap Hayden Adams added:
“This was a phishing attack that resulted in certain NFT LPs being taken from people who approved malicious transactions. Completely separate from protocol.
Former engineer at Metamask, Harry Denly added:
“In block 151,223 32, 73,399 addresses received a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LP.”
Hours after Denly’s tweet, Binance CEO Changpeng Zhao expressed his opinion on the matter and alleged that the DEX protocol had been exploited. Later after clarification from the team, he confirmed that it was indeed a phishing scam:
“This seems like an incredibly irresponsible thing to tweet, it was a phishing campaign, not a Uniswap v3 code exploit.”
However, another user tweeted after Zhao’s tweet:
“Let’s say we disagree. Personally, I think that when you have an audience of [6 million] people you shouldn’t spread panic without checking your story first.
DC Forecasts is a leader in many crypto news categories, striving to achieve the highest journalistic standards and adhering to a strict set of editorial policies. If you are interested in offering your expertise or contributing to our news site, please do not hesitate to contact us at [email protected]