Uniswap Users Lose $8 Million in ETH in Phishing Attack
A phishing scam offering a fraudulent airdrop has this week managed to rob Uniswap users of almost US$8 million in ETH. The scam, instigated on July 11, was promising a free airdrop of 400 UNI tokens (worth about US$2,200):
The scam involved asking users to connect their crypto wallets and make the transaction to claim the fraudulent airdrop. On connection, the hacker nabbed users’ funds via a malicious smart contract.
According to data from Etherscan, more than 74,000 wallets have interacted with the phishing scam’s smart contract. A notable aspect of the attack was that the code was not verified for the smart contract deployed on Etherscan, which is something most legitimate projects do.
How the Attack Unfolded
After deployment of the smart contract, in order to collect the airdropped tokens, the hacker tricked users into signing a transaction. The transaction instead served as an approval transaction, which granted the hacker access to all the Uniswap Liquidity Pool (LP) tokens held by the user.
Uniswap creator Hayden Adams took to Twitter to reassure the community that the hack was indeed a phishing attack and was totally separate from the protocol:
Bad Timing for Uniswap
News of the attack does not come at the best time for Uniswap. The decentralised exchanged (DEX) only recently announced the acquisition of the NFT marketplace aggregator Genie and plans to integrate NFTs into its products, starting with the Uniswap web application.
While the platform is making strides in terms of expanding its reach within the Web3 space, the DEX was hit by a class-action lawsuit in April for promoting “scam coins”. The plaintiff in the case claims to have purchased around US$10,000 worth of “fraudulent” ERC-20 tokens via Uniswap between May and June of 2021.