$200 000 USD

OCTOBER 2020

GLOBAL

UNICATS

DESCRIPTION OF EVENTS

"Uniswap is an Ethereum exchange, built using smart contracts and liquidity pools, as opposed to the order book of a traditional centralized exchange (CEX), such as Binance. With any Ethereum wallet, users can simply connect to the Uniswap application and effortlessly exchange ERC20 tokens without first sending them to the exchange platform account."

 

"[T]he development of Uniswap was facilitated by Vitalik Buterin’s idea for a decentralized exchange (DEX), which would involve an automated market maker. Actually, the protocol developer himself, Hayden Adams, at first tried to just practice development on Solidity, and later this hobby brought him several grants and $100 000 from the Ethereum Foundation. Now the project went far beyond just entertainment and became one of the most important components of the entire DeFi industry."

 

"Yield farmers looking for a quick profit were recently taken in by a dubious DeFi protocol called UniCats — a yield farming scheme reminiscent of other, more famous protocols like SushiSwap or Yam Finance." "UniCats was launched as another spin-off from popular DeFi projects such as Sushiswap. Unsurprisingly, they even used the exact same frontend of Sushiswap, because why bother (the official website is down, but an archive view is available)."

 

"Users who found their way to UniCats were promised $MEOW tokens if they staked either $UNI or $UNI LP tokens on UniCats. The choice to go with $UNI staking is no coincidence. Many users got a bunch of UNI for free and thus might have felt less concerned with risking their newly found fortunes."

 

"When depositing a specific amount (say 100 DAI) into a contract, you can choose to set an allowance of exactly that amount. But instead, many apps instead request an unlimited allowance from the user. This offers a superior user experience because the user does not need to approve a new allowance every time they want to deposit tokens. By setting up an unlimited allowance, the user just needs to approve it once, and not repeat the process for subsequent deposits."

 

"The crypto researcher at ZenGo, recently told the story of Jhon Doe, who lost $140,000 worth of Uniswap’s UNI tokens to a yield farming scam. The Ethereum user lost his DeFi tokens to the yield farming project called UniCats."

 

"In a series of tweets, Alex Manuskin explained how Jhon Doe got scammed. Jhon Doe was seeking to make high returns on the yield farming hype, therefore he allocated some of his UNI tokens in a DeFi scheme UniCats. UniCats provides users to farm its MEOW tokens, and users can then withdraw their tokens."

 

"Manuskin urged users to only approve tokens that they want to spend—since the approved amount goes to zero after the contract uses it —or revoke access to their funds afterward."

 

“Much of the problem is caused by the fact that users are complicit to approve infinite amounts, as this is the standard in popular dapps as well,” he explained to Decrypt, adding that “On the dapp side, they should consider only promoting to allow the necessary amount, even if this causes the user inconvenience. On the wallet side, wallets should alert a user that they are giving permission to all their current and future tokens.” "The rationale for setting infinite approvals is that users save on gas fees and time by not having to approve each transaction separately."

 

"Jhon farms some $MEOW, and thinks, yea, I’m done with this game. I’ll pull out all my UNI and retire now." "Jhon went to sleep with a false sense of security after withdrawing all his funds from a questionable farming scheme believing no harm could be done as long as the funds were in his wallet." "Jhon’s private keys were never compromised, and there was no bug in the wallet. What made this hack possible is a known but commonly overlooked flaw in the design of the ERC20 standard used by most popular tokens on the Ethereum network." "What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme."

 

"However, events took a left turn for the would-be-Chad as malicious codes in the project’s contract allowed the dev to withdraw the victim’s UNI tokens." "Little did he know that UniCats’ developer created a backdoor in the smart contract that gave him control over tokens even after they were withdrawn from the platform." "UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address." "Thanks to this backdoor, UniCats’ creator was able to use the "setGovernance" call to snatch Doe’s tokens." "[E]ven if people tried to limit their risk by only depositing small amounts, funds in their wallets were still at risk because of unlimited ERC20 allowances." "In two swift transactions, the user lost 26,000 and 10,000 UNI—worth around $94,000 and $38,000, respectively. The tokens were then swapped for just over 416 Wrapped Ether (roughly $147,000) on Uniswap. And Doe wasn’t the only victim."

 

"According to Manuskin, the scammer is a regular token thief who often creates phony farming protocols to fool unsuspecting yield chasers." "When the project inevitably rug-pulled, the scammers not only took the deposited funds, but also all UNI tokens that users had in their wallets." "[T]o cover their tracks, UniCats developers created new smart contracts “for each new victim” and that the developers moved bulks of stolen 100ETH into Tornado Cash, an experimental software and a privacy mixer for Ethereum which make the process of tracking the destination of funds extremely difficult."

What's worse than sending your funds to an unknown smart contract? Sending that smart contract access to an unlimited quantity of those funds (ie your entire wallet balance).

 

Not surprisingly, projects can gain trust from less worrisome users with nice cute cat pictures and many of the top projects at this time required the same unlimited permissions.

 

The attacker then performs a withdrawal later, regardless if funds were withdrawn. Permissions have to be expressly revoked to avoid this, and many users may not have the technical ability or discipline to do this.

HOW COULD THIS HAVE BEEN PREVENTED?

The safest storage of funds remains offline storage in a multi-signature wallet. Having that wallet managed by multiple trained and trusted operators reduces the risk of misuse of funds.

 

Check Our Framework For Safe Secure Exchange Platforms

$140,000 in UNI Tokens Lost to a DeFi Yield Farming Scam: The Cautionary Tale of Jhon Doe | Blockchain News (May 24)
@amanusk_ Twitter (May 24)
How Does Uniswap Work (Jun 5)
Yield farming project scams Ethereum users of $200,000 worth of Uni - AMBCrypto (Jun 5)
UniCatFarm | 0xb246bcd5baac8e342941d0f803d528b6668e42cd (Jun 5)
UniCats Go Phishing (Jun 5)
UniCat - Earn MEOW by staking UNI (Jun 5)
Ethereum User Scammed For $140,000 in Uniswap (UNI) Tokens : UniSwap (Jun 5)
Ethereum User Scammed For $140,000 in Uniswap (UNI) Tokens - Decrypt (Jun 5)
This Crypto Investor Lost $140,000 Worth of Uniswap Tokens To Yield Farming Scam (Jun 5)
Fake Yield Farming Project Costs User $140,000 in Uniswap Tokens | Cryptoglobe (Jun 5)
@amanusk_ Twitter (Jun 5)
Many yield farmers lost more than they bargained for when they trusted this DeFi dev (Jun 5)
Unlimited ERC20 allowances considered harmful (Jun 5)
What are the possible security risks of unlimited token authorization? • Blockcast.cc- News on Blockchain, DLT, Cryptocurrency (Jun 20)
CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20)
SlowMist Hacked - SlowMist Zone (May 18)
Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 22)
List of Defi scams (Jul 12)
Newsletter #11 (Jul 12)
12 Defi Con Artists Exposed – Are Rug Pulling Incidents Threatening the Future of Defi ?   – Bitcoin worldReport (Jul 24)
Unlimited Approval In Erc20 Convenience Or Security (Oct 12)
UniCats Go Phishing (Oct 12)
@ZenGo Twitter (Jun 26)
@bneiluj Twitter (Jun 26)
Worldwide crypto & NFT rug pulls and scams tracker - Comparitech (Dec 15)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.