On Monday, 11 July 2022, about $8M worth of crypto assets were taken from users of the popular decentralized exchange Uniswap in a sophisticated phishing scam. The scam promised users an airdrop of 400 UNI tokens worth around $2000. However, by connecting their wallets to receive the drop, the users unknowingly signed an approval that would allow the scammer(s) to steal the funds held in Liquidity Pool (LP) tokens.
How did it happen?
According to Etherscan, on July 11, bad actors deployed an unverified smart contract for an ERC-20 token. After deploying the contract, the phisher spent 8.5 ETH in TX fees to attack about 74,000 Uniswap users with LP tokens in their wallets.
Scam tokens sent to thousands of users.
Users received the phishing notification with the false impression of a UNI airdrop. The phishers tricked them into signing the transactions believing they would be able to collect 400 ‘UNI’ tokens. Instead, the trap was a masked “setApprovalForAll” function that could assign or revoke full approval rights of the wallet to the caller. Essentially, this function allows the attacker to withdraw all Uniswap v3 LP tokens the user holds to the smart contract of their choice.
The goal of the notification was to redirect the recipients to the scam website using the domain “uniswaplp.com,” which impersonated the official Uniswap website “uniswap’org.” The attackers fed the contract function with false data tricking the block explorer and victims to believe Uniswap as the sender. Users who clicked on the “Click here to claim” button believed they were about to receive their airdrop soon saw their assets drained.
The fake token claim page
According to data from Etherscan, 7573 ETH, or about $8 million, was transferred from the wallets that interacted with the malicious smart contract.
The total amount stolen
Fear, uncertainty, and doubt (FUD) are propaganda tactics for manipulating the emotions of crypto asset speculators into making irrational decisions. Unfortunately, FUD spreads fast when incidents like these occur. For example, despite numerous media clarifications that Uniswap was not responsible for the losses, the price of UNI plummeted more than 10% the same day.
How to protect yourself
This phishing scam proves that as long as human greed exists, bad actors will always try to take advantage of users. THRESH0LD as a keyless wallet infrastructure provider requires m-of-n approvals for transactions and eliminates the likelihood of such a phishing scam being successful.
Here are a few tips we recommend for everyone holding digital assets on a private hot wallet for staying safe:
- Protect yourself by checking the domain name properly before clicking any buttons e.g., https://uniswap.org. Airdrops that direct you to unofficial domains are likely phishing scams.
- It is important to note crypto projects will never airdrop users without notice on their official social media channels and website. If unsure of the official channels, verify them on coinmarketcap.com or coingecko.com.