Uniswap Users Fall Victim to a USD 8M NFT Phishing Attack, Binance Pulls False Alarm

Source: iStock/Hailshadow

 

Users of Uniswap (UNI), the largest decentralized exchange (DEX) operating on the Ethereum (ETH) blockchain, have fallen victim to a sophisticated phishing attack, reportedly losing over USD 8.1m worth of assets. Meanwhile, Binance CEO Changpeng Zhao (CZ) falsely alarmed about the incident, claiming that the protocol itself was exploited. 

The phishing attack attempted to rob users of their assets under the false impression of a UNI airdrop, according to Metamask security analyst Harry Denley. He claimed that at least 73,399 addresses have been sent a malicious token to target their assets. 

The hacker is said to have executed the phishing campaign on a major Uniswap V3 liquidity pool (LP). They seemingly sent a malicious token to addresses acting under the false pretense of a UNI airdrop in an attempt to get users to sign the transaction. 

"First, the malicious contract pollutes the event data so that block explorers index the "From" as the legitimate "Uniswap V3: Positions NFT" contract," Denley detailed, noting that when a user sees that "Uniswap V3: Positions NFT" sent them a token, they would get curious and check the token.

The token name directs users to a domain that imitates the real Uniswap branding. The website then executes a function that tries to steal the users' assets. 

According to on-chain data of the address identified as the attacker, a total of ETH 7,500 (USD 8.1m) has been laundered through crypto mixing service Tornado Cash. The address currently holds just ETH 70. 

Binance CEO CZ initially falsely alarmed about the incident, saying that the protocol itself was exploited. "Our threat intel detected a potential exploit on Uniswap V3 on the ETH blockchain," he said in a tweet. 

However, CZ later confirmed that the protocol is safe and the attack was a phishing attempt. 

“A phishing attack that resulted in some liquidity pool NFTs being taken from individuals who approved malicious transactions,” Uniswap founder Hayden Adams said. “Totally separate from the protocol."

Meanwhile, some in the crypto community slammed CZ for tweeting about the issue without verifying it first, claiming that with an audience of 6.6m followers on Twitter he should be more careful about spreading panic. 

"Stupid as f*ck to tweet this out instead of asking the team privately even if it *was* an exploit," said FatMan, a pseudonymous Terra community researcher. "The fact that it has nothing to do with the contract (and the Binance team didn't bother checking this) makes it so much worse."


At 06:42 UTC, UNI is the second-worst performer among the top 100 cryptoassets by market capitalization today. It dropped 7% in a day, nearing USD 5.5. It's still up almost 6% in a week. 
____
Learn more: 
- NFT Giant OpenSea Shares 5 Safety Recommendations as Users' Emails Leaked
- Crypto Exchange That Hosted a Scammer’s Wallet Is ‘Not Liable’ For Victim’s Losses, Court Rules

- NFT Self Defense: Staying Safe in Web3
- Crypto Sector World’s 3rd Industry in Phishing Attacks Growth - Report