Analysis of the Uniswap Phishing attack
You may be wondering why the Uniswap was in quotes, because this wasn’t an attack on Uniswap, it was more of an attack on the Uniswap liquidity provider.
Here’s what happened:
According to Harry.eth on twitter, tens of thousands of addresses received malicious tokens pretending to be from Uniswap. They polluted the event data so these airdrops looked like real airdrops from Uniswap.
When the victims tried to check the token, it would bring them to a phishing link asking them to claim their rewards. This site was designed to look like the real Uniswap giving the victims a false sense of security.
When the victims claimed these rewards, they were actually authorizing the malicious contract to take control of their uniswap LP NFTs. These NFTs represent the liquidity a holder has within the Uniswap v3 pool.
This incident was brought to our attention when CZ, the ceo of Binance tweeted of a possible attack on Uniswap after seeing large transfer of funds within the Uniswap pool sent to Tornadocash. Upon further investigation, it was confirmed that the protocol was still safe, and it was in fact a very successful phishing campaign targeting uniswap liquidity provider.
Now let’s see where the funds now:
We’ve immediately started our investigation into this incident. Right away we can see that the initial damage of 4,295 ETH mentioned by CZ, only the 240 WBTC exchanged for ETH. The hacker was also able to obtain an additional 3,279 ETH directly from the LP NFTs, bringing the total to over 7,570 ETH.
When looking at the Flowchart, the initial funding of 0.1 ETH came from TornadoCash. It then withdrew 4,295 ETH and 3,278.8 ETH from different pools within Uniswap v3 before transfering majority of it to TornadoCash.
In total, 7,500 ETH were sent to Tornadocash. They were sent in transactions of 100 ETH at a time, having a total of 75 transactions.
Over 70 ETH still remains in the scammer’s address at the time of this investigation. We will continue to monitor and track any movement related to this incident.
As a result of this incident, we strongly advise all users to proceed with caution when interacting with any malicious links. If you’re not sure, please verify all resources before proceeding and always be skeptical.