Uniswap Loses Over $4.7M in Scam Token Phishing Exploit

A bad actor has managed to pull off a phishing attack on a major liquidity provider for the Uniswap v3 protocol. The campaign saw the hacker(s) loot a minimum of $4.7 million worth of Ether from the platform. According to internal reports, the total amount of stolen tokens could be even more.

Alarms Go Off on Twitter

Binance CEO Changpeng Zhao had earlier posted regarding the attack after the exchange company’s threat intel spotted suspicious movement. CZ shared a tweet saying the attacker had stolen up to 4295 ETH and was moving the funds via Tornado Cash. He then offered assistance on behalf of Binance and also encouraged individuals to reach out to Uniswap.

Notably, CZ wasn’t the only one who noticed the attack and spoke up. MetaMask security analyst Harry Denley was one of the first to do so, a few hours before the Binance founder did. In his tweet, Denley provided more details on the nature of the attack.

Attackers Airdrop Fake Tokens

Denley revealed to some 13k Twitter followers that the attacker had sent fake ERC-20 tokens to over 73,399 addresses. The perpetrator disguised the tokens as  “UniswapLP” tokens to lure unsuspecting users on the platform. This way, the assets seemed to have come from the actual “UniswapV: Positions NFT.”

They pulled this off by tampering with the “From” section in the blockchain transaction explorer. With the trap in place, users looking for more information on the token found themselves on a scam site. The page claimed to offer swap services for their new tokens and the Uniswap native currency (UNI).

However, instead of exchanging the tokens, the website forwarded the customer’s details; address, and browser info to the hacker’s command center. From there they would try to empty the user’s wallet. The attacker was able to make off with a range of assets from Ether, ERC-20 tokens, and NFTs. 

Interestingly, the perpetrators reportedly spent about 8.5 ETH on fees to send the fake tokens to user addresses. 

Uniswap Team Takes Charge, Claims “No Exploit”

After the posts from Denley and Zhao, more clients became aware of the attack. Additional posts surfaced warning individuals not to interact with strange tokens airdropped into their wallets. Notably, the attack went on for about 8 hours.

Fortunately, the Uniswap team was able to put a stop to it not long after CZ called their attention to it. While the Binance founder’s post was aimed at helping, it did cause a bit of a stir within the crypto community. He had referred to the attack as a potential exploit but later clarified in a post.

CZ reported there were no problems with the protocol, as the team said the smart contract looked fine. 

Uniswap live price
price change

Following CZ’s notice the UNI token’s price dipped sharply, charting a daily low of $5.34. Prices have since rebounded but fell 10.5% within the past day, the token is currently trading at $5.57.

Stay up to date with our latest articles