UniSwap UniCats Scam

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 15:39, 10 May 2024 by Azoundria (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

UniCats

What's worse than sending your funds to an unknown smart contract? Sending that smart contract access to an unlimited quantity of those funds (ie your entire wallet balance).

Not surprisingly, projects can gain trust from less worrisome users with nice cute cat pictures and many of the top projects at this time required the same unlimited permissions.

The attacker then performs a withdrawal later, regardless if funds were withdrawn. Permissions have to be expressly revoked to avoid this, and many users may not have the technical ability or discipline to do this.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26]

About UniCats

"Uniswap is an Ethereum exchange, built using smart contracts and liquidity pools, as opposed to the order book of a traditional centralized exchange (CEX), such as Binance. With any Ethereum wallet, users can simply connect to the Uniswap application and effortlessly exchange ERC20 tokens without first sending them to the exchange platform account."

"[T]he development of Uniswap was facilitated by Vitalik Buterin’s idea for a decentralized exchange (DEX), which would involve an automated market maker. Actually, the protocol developer himself, Hayden Adams, at first tried to just practice development on Solidity, and later this hobby brought him several grants and $100 000 from the Ethereum Foundation. Now the project went far beyond just entertainment and became one of the most important components of the entire DeFi industry."

"Yield farmers looking for a quick profit were recently taken in by a dubious DeFi protocol called UniCats — a yield farming scheme reminiscent of other, more famous protocols like SushiSwap or Yam Finance." "UniCats was launched as another spin-off from popular DeFi projects such as Sushiswap. Unsurprisingly, they even used the exact same frontend of Sushiswap, because why bother (the official website is down, but an archive view is available)."

"Users who found their way to UniCats were promised $MEOW tokens if they staked either $UNI or $UNI LP tokens on UniCats. The choice to go with $UNI staking is no coincidence. Many users got a bunch of UNI for free and thus might have felt less concerned with risking their newly found fortunes."

"When depositing a specific amount (say 100 DAI) into a contract, you can choose to set an allowance of exactly that amount. But instead, many apps instead request an unlimited allowance from the user. This offers a superior user experience because the user does not need to approve a new allowance every time they want to deposit tokens. By setting up an unlimited allowance, the user just needs to approve it once, and not repeat the process for subsequent deposits."

"The crypto researcher at ZenGo, recently told the story of Jhon Doe, who lost $140,000 worth of Uniswap’s UNI tokens to a yield farming scam. The Ethereum user lost his DeFi tokens to the yield farming project called UniCats."

"In a series of tweets, Alex Manuskin explained how Jhon Doe got scammed. Jhon Doe was seeking to make high returns on the yield farming hype, therefore he allocated some of his UNI tokens in a DeFi scheme UniCats. UniCats provides users to farm its MEOW tokens, and users can then withdraw their tokens."

"Manuskin urged users to only approve tokens that they want to spend—since the approved amount goes to zero after the contract uses it —or revoke access to their funds afterward."

“Much of the problem is caused by the fact that users are complicit to approve infinite amounts, as this is the standard in popular dapps as well,” he explained to Decrypt, adding that “On the dapp side, they should consider only promoting to allow the necessary amount, even if this causes the user inconvenience. On the wallet side, wallets should alert a user that they are giving permission to all their current and future tokens.” "The rationale for setting infinite approvals is that users save on gas fees and time by not having to approve each transaction separately."

"Jhon farms some $MEOW, and thinks, yea, I’m done with this game. I’ll pull out all my UNI and retire now." "Jhon went to sleep with a false sense of security after withdrawing all his funds from a questionable farming scheme believing no harm could be done as long as the funds were in his wallet." "Jhon’s private keys were never compromised, and there was no bug in the wallet. What made this hack possible is a known but commonly overlooked flaw in the design of the ERC20 standard used by most popular tokens on the Ethereum network." "What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme."

"However, events took a left turn for the would-be-Chad as malicious codes in the project’s contract allowed the dev to withdraw the victim’s UNI tokens." "Little did he know that UniCats’ developer created a backdoor in the smart contract that gave him control over tokens even after they were withdrawn from the platform." "UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address." "Thanks to this backdoor, UniCats’ creator was able to use the "setGovernance" call to snatch Doe’s tokens." "[E]ven if people tried to limit their risk by only depositing small amounts, funds in their wallets were still at risk because of unlimited ERC20 allowances." "In two swift transactions, the user lost 26,000 and 10,000 UNI—worth around $94,000 and $38,000, respectively. The tokens were then swapped for just over 416 Wrapped Ether (roughly $147,000) on Uniswap. And Doe wasn’t the only victim."

"According to Manuskin, the scammer is a regular token thief who often creates phony farming protocols to fool unsuspecting yield chasers." "When the project inevitably rug-pulled, the scammers not only took the deposited funds, but also all UNI tokens that users had in their wallets." "[T]o cover their tracks, UniCats developers created new smart contracts “for each new victim” and that the developers moved bulks of stolen 100ETH into Tornado Cash, an experimental software and a privacy mixer for Ethereum which make the process of tracking the destination of funds extremely difficult."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - UniSwap UniCats Scam
Date Event Description
October 5th, 2020 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $200,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The safest storage of funds remains offline storage in a multi-signature wallet. Having that wallet managed by multiple trained and trusted operators reduces the risk of misuse of funds.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. $140,000 in UNI Tokens Lost to a DeFi Yield Farming Scam: The Cautionary Tale of Jhon Doe | Blockchain News (May 24, 2021)
  2. @amanusk_ Twitter (May 24, 2021)
  3. How Does Uniswap Work (Jun 5, 2021)
  4. Yield farming project scams Ethereum users of $200,000 worth of Uni - AMBCrypto (Jun 5, 2021)
  5. UniCatFarm | 0xb246bcd5baac8e342941d0f803d528b6668e42cd (Jun 5, 2021)
  6. UniCats Go Phishing (Jun 5, 2021)
  7. UniCat - Earn MEOW by staking UNI (Jun 5, 2021)
  8. Ethereum User Scammed For $140,000 in Uniswap (UNI) Tokens : UniSwap (Jun 5, 2021)
  9. Ethereum User Scammed For $140,000 in Uniswap (UNI) Tokens - Decrypt (Jun 5, 2021)
  10. This Crypto Investor Lost $140,000 Worth of Uniswap Tokens To Yield Farming Scam (Jun 5, 2021)
  11. Fake Yield Farming Project Costs User $140,000 in Uniswap Tokens | Cryptoglobe (Jun 5, 2021)
  12. @amanusk_ Twitter (Jun 5, 2021)
  13. Many yield farmers lost more than they bargained for when they trusted this DeFi dev (Jun 5, 2021)
  14. Unlimited ERC20 allowances considered harmful (Jun 5, 2021)
  15. What are the possible security risks of unlimited token authorization? • Blockcast.cc- News on Blockchain, DLT, Cryptocurrency (Jun 20, 2021)
  16. CipherTrace Cryptocurrency Crime and Anti-Money Laundering Report 2020 (Jun 20, 2021)
  17. SlowMist Hacked - SlowMist Zone (May 18, 2021)
  18. Millions Lost: The Top 19 DeFi Cryptocurrency Hacks of 2020 | Crypto Briefing (May 22, 2021)
  19. List of Defi scams (Jul 12, 2021)
  20. Newsletter #11 (Jul 12, 2021)
  21. 12 Defi Con Artists Exposed – Are Rug Pulling Incidents Threatening the Future of Defi ?   – Bitcoin worldReport (Jul 24, 2021)
  22. Unlimited Approval In Erc20 Convenience Or Security (Oct 12, 2021)
  23. UniCats Go Phishing (Oct 12, 2021)
  24. @ZenGo Twitter (Jun 26, 2022)
  25. @bneiluj Twitter (Jun 26, 2022)
  26. Worldwide crypto & NFT rug pulls and scams tracker - Comparitech (Dec 15, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=UniSwap_UniCats_Scam&oldid=5815"