Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/wp-includes/functions.php on line 6114
Phishing attack steals $8M in Crypto from Uniswap LP - YFarmX | Crypto News & Education
Saturday, December 21, 2024
HomeEthereum & L2'sEthereum NewsPhishing attack steals $8M in Crypto from Uniswap LP

Phishing attack steals $8M in Crypto from Uniswap LP

Hackers stole over $8 million worth of crypto after airdropping Uniswap V3 Liquidity Pool users.

A phishing scam offering a fraudulent airdrop managed to steal nearly $8 million worth of tokens from Uniswap users on Monday.

The phishing scammer targeted the liquidity providers of Uniswap pool V3, where NFT’s represent LP holders’ positions in the pool. A total of 74,693 liquidity providers are in this pool, all of whom own one or more NFT(s) representing their stake.

This NFT represents a liquidity position in a Uniswap V3 WETH-WBTC pool. The owner of this NFT can modify or redeem the position – LOOKSRARE

Each of these individuals were sent 400 malicious ‘airdrop’ tokens as part of the scheme. It is believed that the malicious contract polluted the event data in such a way that block explorers index the “From” field as the legitimate “Uniswap V3: Positions NFT” contract.

Approval Transaction

Within the malicious token airdrop, there was a link to a website where victims could seemingly trade the new tokens for other cryptocurrencies.  In order to claim the malicious airdrop, users had to connect their crypto wallets and sign the transaction.

In reality, this transaction served as an approval transaction, which allowed the hacker to access all Uniswap LP (Liquidity Pool) NFT tokens.

At this point, with the use of a malicious smart contract, the hacker transferred all the LP NFT tokens to his wallet and then withdrew all the liquidity from Uniswap.

One of the LP NFT’s (worth up to 100 ETH) being transfered to the scammer’s wallet – etherscan.io

$8Million worth of WBTC & ETH (7,574 ETH’s worth in total) was stolen from the pool. The attacker funded their wallet with 100ETH from Tornado Cash (cryptocurrency anonymising service) hours before the attack and in total, the scammer spent $9,300 (8.8 Eth) on gas fees sending out the ‘airdrop’. Most of the funds were also

Twitter Reacts

Changpeng Zhao, CEO of Binance, also tweeted about the issue, initially alleging that the DEX protocol had been exploited.

After clarification from the Uniswap team, he confirmed that it was indeed a phishing scam and not a protocol exploit.

RELATED ARTICLES

Most Popular