Coinfomania: Where blockchain and cryptos live.

Degen DeFi User Farming UniCats tokens Ends up Losing $140,000 UNI tokens to Exploit

ZenGo wallet researcher, Alex Manuskin revealed today a new exploit that DeFi protocols could use to steal funds from unsuspecting users. This method was used to allegedly steal $140,000 worth of UNI tokens from a certain Ethereum user, with potential several other people affected.

According to Manuskin, DeFi protocols can have in their smart contract a loophole that allows it to retain control over its users’ tokens even after they were withdrawn from its pool.

A meme token launched over the weekend, UniCats capitalized on this loophole and made several hundreds of thousands of dollars.

As the researcher noted, the first step for the $140k loss victim likely began as a result of chasing DeFi gains, with the name of the meme token, UniCats, presumably enough to tell any prospective investors that the project holds no real promise.

The user deposited some UNI to UniCats liquidity pool to farm some $MEOW tokens with the typical “allow this dApp to spend your UNI” message popping up. It was in that approval message, that the user failed to notice that it had allowed the smart contract to spend an infinite amount of tokens from the address, even after it withdraws liquidity from the pool.

The UniCats protocol owner then uses the “setGovernance” call backdoor on the project’s smart contract to steal the UNI tokens in two separate transactions, first for 26,000 and then 10,000 UNI worth a combined $132,000 at the time of the transaction.

The stolen funds were subsequently swapped some hours later for 416 Wrapped Ether (wETH) worth (appr. $147,000) on Uniswap. Per Manuskin, it is difficult to calculate precisely how many users fail for the ploy, with the owner of UniCats, stealing roughly $50,000 worth of UNI from other victims.

After stealing the tokens from each victim, the UniCats owners create a new smart contract and pass the ownership of the farm to the original contract. The stolen funds are then swapped on Uniswap and obfuscated with private Ethereum-wallet, Tornado.Cash.

The researcher recommends that anyone who has ever used the UniCats contract revokes every token they’ve pre-approved and then take care to only approve for DeFi transactions, the amount they need at a time. 

See Also: Survey: 40% of DeFi Yield Farmers Can’t Read Smart Contracts and Associated Risks

Affiliate:  Deposit 0.02 BTC, and get a 100% bonus to trade futures on Bexplus.

Follow us on Twitter, Facebook, and Telegram to receive timely updates. Subscribe to our weekly Newsletter.