Hackers stole over $8 million worth of crypto after airdropping Uniswap V3 Liquidity Pool users.
A phishing scam offering a fraudulent airdrop managed to steal nearly $8 million worth of tokens from Uniswap users on Monday.
The phishing scammer targeted the liquidity providers of Uniswap pool V3, where NFT’s represent LP holders’ positions in the pool. A total of 74,693 liquidity providers are in this pool, all of whom own one or more NFT(s) representing their stake.
Each of these individuals were sent 400 malicious ‘airdrop’ tokens as part of the scheme. It is believed that the malicious contract polluted the event data in such a way that block explorers index the “From” field as the legitimate “Uniswap V3: Positions NFT” contract.
Approval Transaction
Within the malicious token airdrop, there was a link to a website where victims could seemingly trade the new tokens for other cryptocurrencies. In order to claim the malicious airdrop, users had to connect their crypto wallets and sign the transaction.
In reality, this transaction served as an approval transaction, which allowed the hacker to access all Uniswap LP (Liquidity Pool) NFT tokens.
At this point, with the use of a malicious smart contract, the hacker transferred all the LP NFT tokens to his wallet and then withdrew all the liquidity from Uniswap.
$8Million worth of WBTC & ETH (7,574 ETH’s worth in total) was stolen from the pool. The attacker funded their wallet with 100ETH from Tornado Cash (cryptocurrency anonymising service) hours before the attack and in total, the scammer spent $9,300 (8.8 Eth) on gas fees sending out the ‘airdrop’. Most of the funds were also
Twitter Reacts
Changpeng Zhao, CEO of Binance, also tweeted about the issue, initially alleging that the DEX protocol had been exploited.
After clarification from the Uniswap team, he confirmed that it was indeed a phishing scam and not a protocol exploit.