Press ESC to close

Uniswap fake token phishing attack stolen More than $4.7M

  • News
  • July 12, 2022
  • (0)

A sophisticated phishing movement aiming at liquidity providers (LPs) of the Uniswap v3 protocol has seen attackers make off with at least $4.7 million worth of Ethereum (ETH). Though, the community is reporting the losses could be even greater. Some initially interpreted the hack as an exploit of the Uniswap V3 protocol, but it was quickly clarified as the result of a phishing campaign.

Metamask security researcher Harry Denley was one of the first to tell his 13,000 Twitter followers on July 11 that 73,399 addresses had been sent malicious ERC-20 tokens to steal their assets.

According to a Tweet from Binance CEO Changpeng “CZ” Zhao at least $4.7 million in ETH has been lost in the attack. Though, there are also reports amongst the crypto community that there may be more significant losses from the incursion.

Protruding crypto Twitter user 0xSisyphus noted on July 11 that a “large LP” with around 16,140 ETH, worth $17.5 million, may have also been phished.

According to Denley, the phishing attack works by sending innocent users a “malicious token” called “UniswapLP” — made to appear as coming from the authentic “Uniswap V3: Positions NFT” contract by manipulating the “From” field in the blockchain transaction surveyor.

Users curious about their new tokens would be directed to a website claiming to allow them to swap their new tokens for Uniswap’s native token UNI, worth $5.34 each at the time of writing.

The website would as an alternative send the users’ address and browser client info to the attackers’ command center, which would also attempt to drain cryptocurrency from their wallets.

A Reddit post also explaining the attack distinguished that the attackers had stolen native tokens (ETH), ERC20 tokens, and NFTs (namely Uniswap LP positions) from victims.

Binance’s CEO Zhao twisted some waves in the crypto markets when he first sounded alarms about the attack, calling it a “potential exploit” of the Uniswap protocol on the ETH blockchain.

Zhao explained soon after the post with another update, sharing a chat with the Uniswap team, who noted the attack was part of a phishing attack rather than any problem with the protocol.

CZ’s initial alarming comments matched with a sharp drop in the Uniswap price, which fell to a 24-hour low of $5.34. The price of UNI has since recovered following the explanation to $5.48  at present but is still down 11% in 24 hours and is 87.8% down from its all-time-high (ATH).

Leave a Reply

Your email address will not be published. Required fields are marked *