coinfomania.com
ZenGo wallet researcher, Alex Manuskin revealed today a new exploit that DeFi protocols could use to steal funds from unsuspecting users. This method was used to allegedly steal $140,000 worth of UNI tokens from a certain Ethereum user, with potential several other people affected.
According to Manuskin, DeFi protocols can have in their smart contract a loophole that allows it to retain control over its users’ tokens even after they were withdrawn from its pool.
A meme token launched over the weekend, UniCats capitalized on this loophole and made several hundreds of thousands of dollars.
If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
👇 pic.twitter.com/QltkevnzDY— Alex Manuskin (@amanusk_) October 5, 2020
As the researcher noted, the first step for the $140k loss victim likely began as a result of chasing DeFi gains, with the name of the meme token, UniCats, presumably enough to tell any prospective investors that the project holds no real promise.
The user deposited some UNI to UniCats liquidity pool to farm some $MEOW tokens with the typical “allow this dApp to spend your UNI” message popping up. It was in that approval message, that the user failed to notice that it had allowed the smart contract to spend an infinite amount of tokens from the address, even after it withdraws liquidity from the pool.
So UniCat calls the setGovernance method, with a call to the UNI token, and the instruction to transfer Jhon’s tokens to the farm.
The passed tokens are then swapped to ETH on Uniswap.https://t.co/sHHVvdS24h pic.twitter.com/rGIAT7EcTp— Alex Manuskin (@amanusk_) October 5, 2020
The UniCats protocol owner then uses the “setGovernance” call backdoor on the project’s smart contract to steal the UNI tokens in two separate transactions, first for 26,000 and then 10,000 UNI worth a combined $132,000 at the time of the transaction.
The stolen funds were subsequently swapped some hours later for 416 Wrapped Ether (wETH) worth (appr. $147,000) on Uniswap. Per Manuskin, it is difficult to calculate precisely how many users fail for the ploy, with the owner of UniCats, stealing roughly $50,000 worth of UNI from other victims.
After stealing the tokens from each victim, the UniCats owners create a new smart contract and pass the ownership of the farm to the original contract. The stolen funds are then swapped on Uniswap and obfuscated with private Ethereum-wallet, Tornado.Cash.
The researcher recommends that anyone who has ever used the UniCats contract revokes every token they’ve pre-approved and then take care to only approve for DeFi transactions, the amount they need at a time.
See Also: Survey: 40% of DeFi Yield Farmers Can’t Read Smart Contracts and Associated Risks
Follow us on Twitter, Facebook, and Telegram to receive timely updates. Subscribe to our weekly Newsletter.