A Uniswap user lost over $ 8 million in Ethereum (ETH) after an attacker used a malicious airdrop contract to target the project's liquidity providers (LPs).
The fraudulent airdrop offered 400 free UNI tokens worth approximately $ 2.000. Users were asked to link their cryptocurrency wallets to request the funds. However, thanks to the sophisticated phishing campaign, the attackers managed to steal over 7.500 ETH.
Uniswap v3 protocol
According to MetaMask security researcher Harry Denley, a malicious token disguised as an airdrop token was sent to approximately 73.399 wallet addresses linked to Uniswap.
The malicious smart contract code deployed on Etherscan has not been verified, which legitimate projects usually do. The information contained in the smart contract then led to a website purporting to allow users to exchange their new tokens with Uniswap, worth $ 5,34 each.
The message claimed to distribute UNI tokens to liquidity providers based on the number of fake LP tokens received.
The malicious UniswapLP token appeared to come from a legitimate “Uniswap V3: Positions NFT” contract by manipulating the “From” field in the blockchain's transaction explorer.
A liquidity provider is one who supplies their crypto assets to a platform to help decentralize trading. In return, it is rewarded with the commissions generated by transactions on the platform, which can be considered a form of passive income.
After distribution, the hacker tricked users into signing a transaction that gave them access to all Uniswap LP tokens held by the user. The phishing message, in fact, authorized the underlying smart contract to transfer the activities from the user's wallet and gain full control.
According to data from Etherscan, more than 74.000 wallets have interacted with the phishing scam's smart contract so far.
One person, who was providing over $ 8 million worth of wrapped Bitcoin (WBTC) and USD coins (quotation USDC) to a WBTC / USDC liquidity pool, unknowingly interacted with the phishing scam. The attacker then gained control of the portfolio, exited the LP positions and withdrew all liquidity from Uniswap.
Data from the blockchain also shows that the attacker began moving stolen funds through the Tornado Cash privacy protocol on Tuesday.