An Ethereum user has lost $140,000 worth of UNI, the governance token of decentralized finance (DeFi) platform Uniswap, to yield farming project UniCats, according to Alex Manuskin, researcher at crypto wallet ZenGo.
Over the past weekend, the anonymous user, named “Jhon Doe” for privacy reasons (and deliberately misspelled for unknown reasons), stumbled upon a new yield farming scheme called UniCats and decided to transfer some UNI tokens to its liquidity pool.
If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
pic.twitter.com/QltkevnzDY— Alex Manuskin (@amanusk_) October 5, 2020
Manuskin speculated that the user might have been thinking “who knows, it might be the next YFI.” This is a reference to the unaudited, experimental Yearn.finance project, which went from zero to $40,000 in two months.
In the process, the platform asked permission to spend an unlimited number of tokens—which Doe agreed to since it’s a relatively common practice in DeFi. After farming some MEOW tokens, the user pulled his UNI out of the pool.
Little did he know that UniCats’ developer created a backdoor in the smart contract that gave him control over tokens even after they were withdrawn from the platform.
“What Jhon doesn’t know, is that once you approved the contract to use [infinite] tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme,” said Manuskin.
Thanks to this backdoor, UniCats’ creator was able to use the “setGovernance” call to snatch Doe’s tokens. In two swift transactions, the user lost 26,000 and 10,000 UNI—worth around $94,000 and $38,000, respectively. The tokens were then swapped for just over 416 Wrapped Ether (roughly $147,000) on Uniswap. And Doe wasn’t the only victim.
“The $140,000 are just from one victim. The culprit made at least $50,000 more from other victims. Might be even more, it is a bit difficult to quantify as it is in separate transactions,” Manuskin told Decrypt.
Jhon Doe wakes up to figure out that half of their UNI holdings are gone, swears off farming, and moves all their funds out of the account.
UniCat continues to fish for more victimshttps://t.co/fXEpnMES7t
— Alex Manuskin (@amanusk_) October 5, 2020
He added that this is the first time he has seen this type of attack deliberately used in farming pools, although a similar hack was used against Bancor a short while ago. However, Bancor suffered an exploit, not an intentional backdoor created by the developers, Manuskin explained.
He also noted that the developer of UniCats creates additional smart contracts for each new victim to cover his tracks. The developer then moves the stolen funds into crypto mixer Tornado Cash—a way to make it harder for blockchain analytics companies to follow the money.
#BadApprove vulnerability we unveiled a while ago https://t.co/fC4MsQwekx https://t.co/lldbDPw21Y
— Ouriel Ohayon (@OurielOhayon) August 28, 2020
Manuskin urged users to only approve tokens that they want to spend—since the approved amount goes to zero after the contract uses it —or revoke access to their funds afterward.
“Much of the problem is caused by the fact that users are complicit to approve infinite amounts, as this is the standard in popular dapps as well,” he explained to Decrypt, adding that “On the dapp side, they should consider only promoting to allow the necessary amount, even if this causes the user inconvenience. On the wallet side, wallets should alert a user that they are giving permission to all their current and future tokens.”
Because no one wants to approve a transaction that could rid them of all their money.