Back to the list

Uniswap liquidity provider hacked for $8 million in phishing attack


www.theblock.co 12 July 2022 01:00, UTC
Reading time: ~2 m

On Monday, an unknown hacker reportedly stole from a wallet believed to be a liquidity provider on the Uniswap decentralized exchange (DEX). 

Smart contract security firm PeckShield told The Block that the liquidity provider had inadvertently fallen victim to a phishing tactic, which allowed the hacker to steal more than 7,500 ether ($8 million). 

Prior to the incident, the hacker targeted the victim using a fake Uniswap airdrop token as a phishing bait. When the victim claimed the token, they interacted with a malicious smart contract that inadvertently gave the hacker full control over the victim's wallet.

At the time of the attack, the wallet was providing $8 million to a WBTC/USDC liquidity pool on Uniswap version 3 (making it a liquidity provider, or LP).

After gaining illegitimate access to the wallet, the hacker exited the user’s liquidity position, swapped the assets and transferred them out. While doing this, the hacker routed the funds through Tornado Cash, a transaction mixer on the Ethereum network.

Binance CEO Changpeng Zhao was the first to flag the incident. In a Twitter post, he initially claimed that there was a potential exploit in the protocol itself, before later making an update that noted that wasn't the case — and that it was just a phishing attack.

Uniswap founder Hayden Adams concurred, saying that the phishing attack was “totally separate from the protocol.”

Back to the list