During an attack earlier this week, Uniswap, a popular decentralised cryptocurrency exchange, lost close to $8million worth of Ethereum.
The cyberattack has impacted many investors in digital assets.
The threat actors used the lure of free UNI tokens (airdrops) to trick victims into approving a transaction that gave hackers full access to wallets.
The trap was a disguised “setApprovalForAll” function that assigns or revokes full approval rights to the operator. This essentially allows the attacker to redeem all Uniswap v3 LP tokens for ETH in the victim’s wallet.
In total, the threat actors siphoned 7,574 ETH to a wallet address under their control and quickly moved 7,500 to the Tornado Cash service for laundering.
73,399 users who held UNI tokens were airdropped an ERC20 token created by the phishing actors. The actors spent 8.5 ETH in TX fees for the high number of transactions.
The aim of the campaign was to re-direct the recipients to a scam website on the domain “uniswaplp[.]com” which impersonates the official Uniswap domain “uniswap.org.”
The operator appeared as “Uniswap V3: Position NFT” to the victims, tricking them into allowing approval rights.
Researchers at Check Point explain that the attackers polluted the emit function of the contract with false data tricking the block explorer into displaying Uniswap as the sender.