One of the users of the fraudulent project UniCats lost $ 140,000 in UNI tokens invested in it for farming.
The UniCats developers have implemented a defect in the smart contract to control tokens even after their withdrawal. This was announced by Alex Manuskin, a researcher from the ZenGo cryptocurrency wallet team.
To start using the UniCats platform, the user is required to have permission to spend an unlimited number of tokens. Considering that many decentralized finance (DeFi) projects have similar requirements, the user accepted these conditions. After farming a certain amount of MEOW tokens, he pulled UNI out of the pool. It was later revealed that the UniCats developers had incorporated a “workaround” into the smart contract that allowed them to manage tokens even if they were withdrawn from the platform.
“The user did not even suspect that having received permission to spend an unlimited number of assets, the contract can use them at any time. This is possible even if the user has withdrawn the tokens from the profitable farming scheme, ”said ZenGo researcher Manuskin.
Thanks to a loophole in the smart contract, the creator of UniCats managed to intercept the user’s tokens by making two transactions for 26,000 UNI and 10,000 UNI for the amount of $ 94,000 and $ 38,000. Then the attackers exchanged the received tokens for 416 WETH. Thus, the scammers received at least $ 50,000 from other victims. The exact amount of damage to users is not easy to determine, given that the withdrawal of cryptoassets was made using separate transactions.
Manuskin said that this is the first time he has encountered this type of attack used in farming pools. The researcher cited as an example the situation with the Bancor protocol, when, due to a vulnerability in a new version of a smart contract, users lost BNT tokens worth more than $ 100,000. Contract. To cover their tracks, the scammers created an additional contract for each victim, and used the Tornado Cash cryptocurrency mixer to launder stolen tokens to make it more difficult for analytical companies to track the funds.
In order to avoid such losses, users need to study the terms of the smart contract, give permissions only to those crypto assets that they want to spend and do not forget to revoke such access. The crux of the problem is that users give permission to spend unlimited amounts, which is often found in popular decentralized applications. However, applications should only ask for permission to spend the required amounts, even if this is not very user-friendly. In turn, cryptocurrency wallets must notify users that they allow all current and future tokens to be used.
According to CoinGecko, 40% of DeFi pharming participants are not able to independently assess the risks of smart contracts and rely on auditors, which is why they are at great risk.