At least $4.7 million in ETH has been phished from the Uniswap v3 protocol. The reason is a sophisticated phishing campaign targeting liquidity providers (LPs). However, the losses could be much higher.
Exploit or phishing?
Monday, July 11, proved to be a difficult day for users and developers of the Uniswap platform. As a result of the attack, huge amounts of money disappeared from the protocol. One of the first people to report the incident was Harry Denley, a MetaMask security researcher. Via Twitter, he informed:
“From block 151,223.32 a malicious token was sent to 73,399 addresses to target their resources, under the false impression of airdrop $UNI based on their LP.
Activity started ~2 hours ago.”
As a result of the hackers’ activities, a total of $4.7 million was defrauded, according to a preliminary assessment. However, another Twitter user with the nickname Crypto 0xSisyphus noted that a large liquidity provider with some 16,140 ETH, worth $17.5 million, may have also fallen victim to the attack.
An even more significant alarm was raised in turn by Binance CEO Changpeng Zhao. He informed his community that the Uniswap protocol may have experienced a “potential exploit.” After consulting with the Uniswap team, however, he quickly dismissed such a scenario, significantly reassuring the market.
Principles of phishing
Shortly thereafter, Harry Denley shared with his observers the principles on which the phishing attack was supposed to work. According to him, an unsuspecting user of the Uniswap v3 contract, received an airdrop called “UniswapLP.” It occurred by manipulating the “From” field in the blockchain transaction explorer.
In further steps, curious users were directed to a website allowing them to exchange the received tokens for Uniswap (UNI). As a result, the website, instead of performing the transaction envisioned by its victim, sent the user’s address and browser client information to the attackers’ headquarters. Thus, a path was opened before the attackers to empty their victims’ wallets.
Uniswap Labs’ response
The Uniswap Labs team swiftly sprang into action. In addition to the corrective information provided via CZ, details of the attack were provided the very next day. They confirmed the scenario presented by Denley.
Among the broad explanations, included sentences like this:
“Protect yourself from phishing by checking domain names. We primarily operate under the domain http://uniswap.org . Airdrops that direct you to unofficial domains are probably phishing attempts. We never make airdrops without informing you through official channels.”
The community was also warned that a similar attack could await any other protocol in the future. Therefore, extreme caution is advised.
As a result of the attack, UNI lost nearly 15% on its valuation in a short while.