Up1 Infinite Approval Phishing
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Up1 Network claimed to be a synthetic elastic index fund, and offer new innovation to revolutionize how investors invested. The website was filled with extensive details and background about synthetic tokens and even featured some tokenomic algorithms. There was a supposed team with biographies, although no human faces were used. Users of the website were prompted to get their free airdrop.
Instead of a free airdrop, the website would request them to grant an infinite approval of the highest-value token in their wallet. When approving that transaction, the funds would be quickly stolen and laundered. At least $50k was taken from one victim, although there appear to have been several. There is no indication that any of the funds were recovered.
This is a global/international case not involving a specific country.[1][2][3]
About Up1 Network
Up1 is introducing a new asset class in the world of digital assets, aiming to revolutionize individual investments in this sector. This asset class is characterized by synthetic instruments that simulate other financial instruments while adjusting critical features to meet the specific needs of investors.
Key features of Up1's offering include:
- Rebases: Up1 utilizes price-elastic tokens that automatically adjust the total token supply based on market conditions. When the UP1 price exceeds the Total Value Locked in DEFI * 0.1^11), more tokens will be minted, while a lower UP1 price will result in reductions in token holdings.
- Defi Simplified: Up1 offers an elastic synthetic index fund that acts as a representation of Defi Total Value Locked, providing traders and institutions with an innovative way to speculate on these assets using a single token.
- Geyser: Up1's liquidity staking rewards program, Geyser, allows users to deposit ETH and UP1 into Uniswap V2, receive UNI-V2 LP Tokens, and stake them in the Geyser, providing liquidity rewards.
Roadmap:
- Phase 1 (Q4 2020): Included private sales, public sales, token generation events, Uniswap listings, and listings on CoinMarketCap and CoinGecko.
- Phase 2 (Q1 2021): Launch of the Geyser Protocol for staking.
- Phase 3 (Q2 2021): Cex listing.
Tokenomics:
- Token Details: UP1 is an ERC-20 token with an elastic supply based on expansion and contraction.
- Distribution: Strategic sales (50%), ecosystem (21%), Geyser (10%), foundation (9%), initial liquidity (5%), advisors (4%), and airdrop (1%).
Team:
Up1's team consists of professionals with experience in trading, coding, full-stack development, blockchain development, marketing, and community moderation. Advisors bring extensive experience in the crypto industry, investments, and community building.
Overall, Up1 aims to bring innovation to the DeFi space through its synthetic assets and innovative tokenomics.
"Up1 - Defi TVL Synthetic Elastic Index Fund - A brand new asset class that will revolutionize how individuals invest in digital assets."
"Synthetic is the term given to financial instruments that are engineered to simulate other instruments while altering key characteristics. Often synthetics will offer investors tailored cash flow patterns, maturities, risk profiles and so on. Synthetic products are structured to suit the needs of the investor. A synthetic is an investment that is meant to imitate another investment. Synthetic products are custom designed investments that are created for large investors."
"A price-elastic token is one where the project’s total token supply is not fixed, but instead automatically adjusts on a routine basis. These token supply adjustments are called rebases. When UP1 price is greater than the Total Value Locked in DEFI * 0.1^11), more $T will be minted. When UP1 price is lesser than the Total Value Locked in DEFI * 0.1^11), the $T in everyone's wallets will be reduced. Positive Rebase creates new supply, decreasing scarcity and driving price down its target."
"An Elastic synthetic index fund like instrument of Defi TVL (Acting as per the underlying assets.)" "The world’s first tokenized derivative of its kind (Traders & Institutions can speculate an untouched assets)."
The Reality
"I can't even "fat-finger" click confirm on some jewel such as up1(.)org, that will dynamically ask for inf-approve on *the most valuable ERC20 you have*."
"I fell for this one."
"Scams are evolving.. stay safe."
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"An early Ethereum and DeFi investor who wishes to remain anonymous told Cointelegraph that they fell victim to a rug pull on Dec. 19, 2021. The anonymous source shared that the project is called “up1.network,” noting that many early Ethereum investors were discussing Up1 in a Discord chat group."
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| December 20th, 2021 6:40:45 AM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| December 24th, 2021 10:14:00 AM MST | CoinTelegraph Article | [5]. This was later shared on Blockchair News[3]. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
In 2021, there has been a surge in "rug pulls," a scam tactic targeting both experienced and new crypto investors. Chainalysis reports that scams have become the predominant form of cryptocurrency-based crimes by transaction volume, with over $7.7 billion stolen from victims worldwide, an 81% increase from the previous year.[5]
Rug pulls have gained prominence within the decentralized finance (DeFi) ecosystem this year, contributing significantly to the surge in scam revenue. Chainalysis defines rug pulls as instances where individuals or developers suddenly abandon a project and run off with the funds. In 2021, rug pulls accounted for 37% of all cryptocurrency scam revenue, a stark contrast to just 1% in 2020.[5]
Examples of major rug pulls in 2021 include AnubisDAO, which raised nearly $60 million overnight before disappearing, and Up1, a recent case where $50,000 worth of tokens were stolen from investors who trusted the project. These rug pulls are causing significant trust issues within the crypto ecosystem.[5]
Even mainstream nonfungible token (NFT) projects have been targeted by rug pulls. Miss Universe's NFT launch on the Wax blockchain resulted in significant losses for unsuspecting investors.[5]
While the DeFi and NFT ecosystems are maturing, they remain vulnerable to rug pull scams. Users are advised to conduct thorough research, check for code audits, and exercise caution when engaging with new projects. Rug pulls are prevalent in DeFi due to the ease of creating new tokens without audits. Additionally, wallet providers should play a role in flagging questionable sites to protect users.[5]
Cryptocurrency platforms are increasingly taking action to protect users from scams, such as tracing transactions to their source. Users are encouraged to stay vigilant, avoid offers that seem too good to be true, and thoroughly research projects and their teams before investing.[5]
Total Amount Lost
"Unfortunately, once Up1 gained access to their account, three DeFi tokens worth $50,000 were instantly taken.
The total amount at risk has been estimated at $50,000 USD. The total amount lost has been estimated at $50,000+ USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
“People I trusted were mentioning the project so I checked it out. I thought it was strange to see Up1 giving away airdrops, but thought it could have been affiliated with a DeFi token I had. I then connected my MetaMask wallet and clicked on ‘get airdrop’ but kept getting an error message. I did this three times, which gave the project access to my account.”
"Unfortunately, once Up1 gained access to their account, three DeFi tokens worth $50,000 were instantly taken. “I revoked access after the fact on Etherscan so they couldn’t steal any more tokens,” they mentioned. The Ethereum investor then checked the DeFi platform Zerion where they saw the notifications that the DeFi tokens had left their wallet."
"Scams are evolving.. stay safe."
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Once losses are obtained, the industry has no standard program of recovery. We have recommended the establishment of an insurance fund which could have funds available to assist victims and increase the rate of reporting so perpetrators could more easily be brought to justice.
Individual Prevention Policies
Users can protect themselves by always checking every transaction in detail. In this case, the malicious transaction would drain funds from user's wallets. Users should be especially cautious in this case because a free mint was promised, which is a common fraud tactic.
Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.
Any time that you are promised any profit or benefit in exchange for an initial payment, smart contract approval, or deposit, pay special care as to whether the entity making that offer is trustworthy, actually who they say they are, and has the means to fulfill what they're promising. There are no magic algorithms providing guaranteed returns from trading or mining. Trading on average will lose money. Mining is expensive and complex. No one is going to immediately send back more than you sent them. NFT projects will rarely announce a surprise mint in only a single location. Are you fully prepared for the event your money is kept and nothing is delivered in return?
A good strategy to massively reduce potential losses is to keep most funds stored offline in one or more separate wallet(s) and only have a small balance based on what you are actively using in your present wallet. It's also a good idea to always be checking to ensure that any smart contracts have been reviewed by third parties.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The Up1 platform was malicious. Increased user education would reduce the effectiveness of malicious platforms to trick users into giving up their funds.
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
An industry insurance fund could provide assistance to affected users.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The Up1 platform was malicious. Increased user education would reduce the effectiveness of malicious platforms to trick users into giving up their funds.
Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.
Standardizing reviews of platforms can provide users with a better source of information and method for assessing which platforms are higher risk and should be avoided.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
An industry insurance fund could provide assistance to affected users.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @amanusk_ Twitter (Jun 26, 2022)
- ↑ @heminvaidya Twitter (Jul 22, 2022)
- ↑ 3.0 3.1 Beware of sophisticated scams and rug pulls, as thugs target crypto users - Blockchair News (Jul 22, 2022)
- ↑ Up1 Homepage - "$P – Defi TVL – Elastic Synthetic Index Fund" Archive December 14th, 2021 1:25:21 PM MST (Jul 22, 2022)
- ↑ 5.0 5.1 5.2 5.3 5.4 5.5 5.6 Beware of sophisticated scams and rug pulls, as thugs target crypto users - CoinTelegraph (Sep 5, 2023)
- ↑ https://etherscan.io/address/0xc28a580acc42294787f44cffbaa788eaa4958056 (Jul 22, 2022)
- ↑ https://etherscan.io/tx/0xd56ba7c3c0ae82dbc36e3d8e8d600f8d5cb9f3575347e85ef846bb29d97c9ed6 (Jul 22, 2022)