On Monday, a phishing scam offering a fraudulent airdrop managed to rob Uniswap users of nearly $8 million in funds.
The phishing scam promised a free airdrop of 400 UNI tokens (worth approximately $2,200). Users were asked to connect their crypto wallets and sign the transaction to claim the malicious airdrop. Upon connection, the unknown hacker grabbed user funds through a malicious smart contract.
To date, more than 74,000 wallets have interacted with the phishing scam smart contract, according to data from Etherscan.
On July 11, the hacker deployed a malicious smart contract, according to Etherscan.
Notably, the code was not verified for the smart contract deployed on Etherscan—something most legitimate projects do.
After deployment, for collecting their airdropped tokens, the hacker tricked users into signing a transaction. Instead, this transaction served as an approval transaction, giving the hacker access to all the Uniswap LP (Liquidity Pool) tokens held by the user.
Screenshot of decoded transaction data. Source: Etherscan.
Whenever users add liquidity to Uniswap, they receive LP tokens in return as a representation of their liquidity positions. These tokens are transferable and us the ERC-721 token standard, like all other NFTs.
Hence through an approval transaction, a third- party (the hacker wallet in this case) could spend funds on behalf of the user.
After gaining access from the previous approval transaction, the hacker transferred all the LP tokens to his wallet and withdrew all the liquidity from Uniswap.
The hacker wallet gained nearly 7,573.94 Ethereum from the exploit, according to analytics info from Etherscan.
Crypto community reacts to Uniswap phishing hack
“This was a phishing attack that resulted in some LP NFTs being taken from individuals who approved malicious transactions,” said Uniswap creator Hayden Adams. “Totally separate from the protocol.”
“As of block 151,223,32, there have been 73,399 addresses that have been sent a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LPs,” tweeted Harry Denly, a security engineer at Metamask.
Hours after Denly’s tweet, Changpeng Zhao, CEO of Binance also tweeted the issue, initially he alleged that the DEX protocol was exploited.
But later after clarifications from the Uniswap team, he confirmed that it was indeed a phishing scam and the protocol is safe.
“This seems like an incredibly irresponsible thing to tweet, it was a phishing campaign, not an exploit of Uniswap v3 code,” responded a user to Zhao’s initial allegation.
“Let’s agree to disagree. I personally think when you have an audience of [6 million] people you should not go around spreading panic without verifying your story first,” another user said following Zhao’s initial tweet.
Despite the clarification, the price of UNI has plummeted more than 10% over the past 24 hours.
UNI is a governance token launched in 2020 that lets holders vote on and propose various changes made to the Uniswap protocol.