Hackers Steal $8 Million Worth of ETH via Uniswap Phishing Attack
Key Insights:
- Attackers made off with more than 7,500 ETH.
- The fraudulent airdrop claimed to airdrop UNI tokens to liquidity providers based on the number of tokens they received.
- More than 74,000 wallets have interacted with the phishing scam smart contract so far.
A Uniswap user has lost over $8 million worth of Ethereum (ETH) after an attacker used a malicious airdrop contract to target the project’s liquidity providers (LPs).
Uniswap v3 Protocol
According to a MetaMask security researcher Harry Denley, some 73,399 wallet addresses connected to Uniswap were sent a malicious token masquerading as a token airdrop.
The message claimed to airdrop UNI tokens to liquidity providers based on the number of fake LP tokens they received.
The malicious UniswapLP token appeared to come from a legitimate ‘Uniswap V3: Positions NFT’ contract by manipulating the ‘From’ field in the blockchain transaction explorer.
A liquidity provider is someone who provides their crypto assets to a platform to help with decentralisation of trading. In return they are rewarded with fees generated by trades on the platform, which can be thought of as a form of passive income.
Blockchain Data
One person, who was providing over $8 million worth of wrapped Bitcoin (WBTC) and USD coin (USDC) to a WBTC/USDC liquidity pool, unknowingly interacted with the phishing message. The attacker then gained control of the wallet, exited the LP’s positions and withdrew all the liquidity from Uniswap.
Blockchain data further shows that the attacker began moving stolen funds through the privacy protocol Tornado Cash on Tuesday.