Attackers looted at least $4.7 million worth of Ethereum from cryptocurrency exchanges through a fraudulent token scam targeting liquidity providers (LPs) of the Uniswap v3 protocol (ETH). As of now, before an upcoming valid ad for a new coin is published, hackers trick people with similar-looking ads or listings where they can steal money without being traced easily. Fortunately, there are other ways to protect yourself against these types of scams.
Compared to its centralized competitors, the decentralized structure of platforms like Uniswap has several advantages, including open and free token listings that make it easier and more affordable to begin new ventures. So, therefore it has turned into a common and easy target for scammers.
Related Reading | GameStop Launches NFT Marketplace
With the ability to provide swaps between Ethereum (ETH) and several ERC-20 tokens, as well as liquidity pools and the ability to earn returns by depositing tokens, Uniswap’s decentralized exchange has grown to be one of the movement’s most well-known platforms.
The Uniswap protocol now comes in three different versions. Open source and GPL-licensed V1 and V2 are available. With a few minor changes, V3 is open source.
Uniswap Fake Token Phishing Attack
One of the first to alert people about the attack was Harry Denley, a security researcher at Metamask. He posted a tweet On July 11 and stated:
As of block 151,223,32, there has been 73,399 address that have been sent a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LP’s.
In another tweet, Denley claims that the “malicious token” used in the phishing attack is provided to naïve customers in an effort to deceive them into thinking it is coming from the legitimate Uniswap V3. He also said that:
First, the malicious contract pollutes the event data so that block explorers index the “From” as the legitimate “Uniswap V3: Positions NFT” contract.
Binance CEO Zhao also raised the alarm about the attack. He called it a “potential exploit” of the Uniswap protocol on the Ethereum blockchain. As his tweet states:
Our threat intel detected a potential exploit on Uniswap V3 on the ETH blockchain. The hacker has stolen 4295 ETH so far, and they are being laundered through Tornado Cash.
Zhao posted an apology shortly after the tweet and included details of his conversation with the Uniswap team. He claimed the attack was a phishing attack, not a protocol issue, adding that “the protocol is safe.”
Featured image from Flickr, and the chart from Tradingview.com