Hackers Steal $8 Million Worth of ETH via Uniswap Phishing Attack

By:Mohadesa Najumi

Updated: Jul 13, 2022, 09:40 UTC•2min read

Attackers stole over 7,500 ETH after gaining access to Uniswap LPs via a malicious airdrop contract

Mentioned in Article

Key Insights:

Attackers made off with more than 7,500 ETH.
The fraudulent airdrop claimed to airdrop UNI tokens to liquidity providers based on the number of tokens they received.
More than 74,000 wallets have interacted with the phishing scam smart contract so far.

A Uniswap user has lost over $8 million worth of Ethereum (ETH) after an attacker used a malicious airdrop contract to target the project’s liquidity providers (LPs).

The fraudulent airdrop offered 400 free UNI tokens worth around $2,000 and users were asked to connect their crypto wallets in order to claim funds. However, the sophisticated phishing campaign saw attackers make off with over 7,500 ETH.

Uniswap v3 Protocol

According to a MetaMask security researcher Harry Denley, some 73,399 wallet addresses connected to Uniswap were sent a malicious token masquerading as a token airdrop.

The code in the malicious smart contract deployed on Etherscan was not verified, which is something that legitimate projects typically do. Information in the smart contract then led to a website purporting to allow users to swap their new tokens for Uniswap, worth $5.34 each.

The message claimed to airdrop UNI tokens to liquidity providers based on the number of fake LP tokens they received.

The malicious UniswapLP token appeared to come from a legitimate ‘Uniswap V3: Positions NFT’ contract by manipulating the ‘From’ field in the blockchain transaction explorer.

A liquidity provider is someone who provides their crypto assets to a platform to help with decentralisation of trading. In return they are rewarded with fees generated by trades on the platform, which can be thought of as a form of passive income.

After deployment, the hacker tricked users into signing a transaction which gave the hacker access to all the Uniswap LP tokens held by the user. This is because the phishing message gave the underlying smart contract permission to transfer assets out of and gain full control of a user’s wallet.

Blockchain Data

According to data from Etherscan, more than 74,000 wallets have interacted with the phishing scam smart contract so far.

One person, who was providing over $8 million worth of wrapped Bitcoin (WBTC) and USD coin (USDC) to a WBTC/USDC liquidity pool, unknowingly interacted with the phishing message. The attacker then gained control of the wallet, exited the LP’s positions and withdrew all the liquidity from Uniswap.

Blockchain data further shows that the attacker began moving stolen funds through the privacy protocol Tornado Cash on Tuesday.