Uniswap User Loses $8M Worth of Ether in Phishing Attack

A Uniswap user lost over $8 million worth of ether (ETH) Tuesday in a phishing attack that saw the attacker deploy an airdrop bait to trick users, security researchers said.

According to tweets by MetaMask security researcher “harry.eth” on Monday night, some 73,399 wallet addresses connected to Uniswap were sent a malicious token masquerading as a uniswap (UNI) token airdrop based on their liquidity pool positions on Uniswap version 3.

Information in the malicious smart contract led to a website that imitated Uniswap domain branding.

The message claimed to airdrop UNI tokens to liquidity providers (LP) based on the number of fake LP tokens they received. Liquidity providers supply their assets on Uniswap in return for rewards.

Interacting with the phishing message, however, gave the underlying smart contract permission to transfer assets out of and gain full control of a user’s wallet.

One person, who was providing over $8 million worth of wrapped bitcoin (WBTC) and USD coin (USDC) to a WBTC/USDC liquidity pool, according to blockchain data, unknowingly interacted with the phishing message.

The attacker was able to gain control of the wallet, exit the LP’s positions and transfer the tokens to other wallets. Blockchain data further shows the attacker started to move stolen funds through privacy protocol Tornado Cash in early Asian hours Tuesday.

In the hours following the attack, Binance founder Changpeng Zhao alerted users to be aware of a possible exploit on Uniswap. This was however later corrected, as the exploit was limited to a phishing message and did not affect the Uniswap protocol, as Uniswap Labs CEO Hayden Adams confirmed in separate tweets.