$8M of Crypto Stolen by Phishing From Uniswap Liquidity Pool
No Exploit Found on Protocol or Smart Contract, Crypto Exchange SaysThieves targeted cryptocurrency exchange investors with a phishing attack that stole more than $8 million in Ethereum currently being laundered with a service commonly used to hide tainted funds.
See Also: 2024 APJ State of the Phish: Is Your Organisation Covered
Uniswap Labs yesterday disclosed the attack, stating that thieves took advantage of human credibility rather than a weakness in the protocol.
An internal investigation and probe by an external security expert found no evidence of an exploit, a Uniswap spokesperson tells Information Security Media Group. The scam "did not take place on our platform. To prevent users from interacting with other malicious platforms, we included safety guidance in our public statements," the spokesperson says.
The attack is "a good reminder to protect yourself from phishing and not click on malicious links," tweeted Hayden Adams, founder of Uniswap.
The attack was detected by cryptocurrency experts, including MetaMask's Harry Denley.
On July 11 undisclosed threat actors created a token contract called "$ UniswapLP.com" and airdropped it to 73,399 Uniswap exchange investors - “liquidity providers" as they’re called in cryptocurrency circles.
Denley tells ISMG he stumbled across the scam while testing code that would allow automatic detection of the deployment of smart contracts with names similar to popular cryptocurrency brands.
Applications such as decentralized exchange Uniswap - which is the largest DEX by volume on the Ethereum blockchain - take advantage of Ethereum's permissionless nature, which permits third-party applications to ride on top of it.
Uniswap provides what's known as a "liquidity pool" - a batch of cryptocurrency used to create a market for cryptocurrency swaps.
Users who received the phishing token would see a domain "uniswaplp.com" in the token name, which is not a legitimate Uniswap website. The threat actors claimed on the fake site that the new airdropped tokens could be exchanged 1:1 with the UNI token, which would give the users an additional $2,400 worth of tokens, Denley says.
1/ Yesterday, some Uniswap LPs unfortunately fell for a phishing scam, a problem far too common in crypto today. To be clear: there was no exploit. The Protocol always was — and remains — secure. Here’s what happened.
— Uniswap Labs (@Uniswap) July 12, 2022
A user fooled by the messaging also unwittingly agreed to activate the "setApprovalForAll" setting in the exchange, giving attackers the ability to redeem all of the user's tokens.
"The attackers then removed liquidity and sold the underlying assets of that position," Denley says.
Attackers stole from the victims ETH, ERC-20 tokens and 29 Uniswap liquidity positions represented as non-fungible tokens from the victims, William Callahan, director of government and strategic affairs at the Blockchain Intelligence Group, tells ISMG.
The stolen funds are being moved through Tornado Cash, a cryptocurrency tumbler that randomly mixes tainted cryptocurrency with legitimate funds.
"So far, 7,500 ETH has been laundered through Tornado Cash and the attacker has 70.98 ETH unspent in crypto wallet address 0x09b5027eF3a3b7332EE90321E558baD9C4447AFA," Callahan says. The value of the stolen assets is approximately $8.1 million as of publication.
"We will be monitoring Tornado Cash outputs to see where these funds were withdrawn," Callahan says. Denley adds that the attacker has been depositing into the mixer 100 ETH at a time.
The biggest theft value from a single user so far is about $8.08 million, Denley tells ISMG.
"Whilst we have identified various addresses that were involved in this attack, the largest one (0x09b5027eF3a3b7332EE90321E558baD9C4447AFA) managed to steal 240.42007485 BTC (wrapped) and 3278.8478886745684 ETH from liquidity positions," he says.
Identifying blockchain thieves is difficult since real identities aren't a prerequisite to joining one. The only thing needed to operate an address is cryptographic proof. "Anyone can join the network without going through a [know your customer] process. So an identity isn't necessarily attached to the account like it would be in traditional finance," Denley says.
He adds that same phishing campaign targeted other cryptocurrency blockchains including EVM and Solana, but it is currently unclear if any harm was caused on them.
Mitigation
"This was not an attack on Uniswap protocol or contracts. It was an attack on humans who provided liquidity to Uniswap. It is not different from other NFT phishing campaigns: it used the same fundamental techniques of getting users to sign ownership away," says Denley.
As prevention advice goes, it is fairly rudimentary. If a user receives a suspicious token, it is best to not interact with it, including trying to "burn" it. Burning refers to essentially taking a certain amount of tokens out of circulation - achieved by sending the tokens to a wallet address that can only receive tokens, but not send any.
"Just leave the [suspicious] token and pretend you don't see it," Denley says.
Those who may have been affected by the scam must check their token approvals and revoke spending access to any address they do not recognize, he adds.
Clarification July 13, 2022 18:35 UTC: Removes tweet suggesting the phish took place on the Uniswap platform, which it did not.