Jul 13, 2022
Uniswap V3 — — New Phishing Scam?
0x01 Preview
Binance CEO founder claimed that their threat intel detected a potential exploit on Uniswap V3 on the ETH blockchain. The hacker has stolen 4295 ETH so far, and they are being laundered through Tornado Cash, address
https://etherscan.io/address/0x09b5027ef3a3b7332ee90321e558bad9c4447afa#internaltx
In the hours later, multiple Twitter users posted that there was nothing unusual about the transactions that transferred funds in the hack and said that it was a phishing attack, meaning that the breach was not a risk to Uniswap itself.
after the CZ tweed mentioned that it connected with the uniswap team. The protocol is safe. The attack looks like from a phishing attack. Both teams responded quickly. All good. Sorry for the alarm. Learn to protect yourself from phishing. Don’t click on links.
0x02 More details
· Attacker Address
0x3cafc86a98b77eedcd3db0ee0ae562d7fe1897a2
0x09b5027ef3a3b7332ee90321e558bad9c4447afa
· Attacker contract(UniswapLP.com (UniswapLP.com))
0xCf39B7793512F03f2893C16459fd72E65D2Ed00c
· Victim address
0xecc6b71b294cd4e1baf87e95fb1086b835bb4eba
0x15c853bdafc9132544a10ed222aeab1f239414fe
0xc8c9771b59f9f217e8285889b9cdd7b9ddce0e86
· Uniswap V3: Positions NFT
0xc36442b4a4522e871399cd717abdd847ab11fe88
0x03 Attack Analysis
1.The attacker deploys the attack contract ($ UniswapLP.com (UniswapLP.com)) in advance, pay attention to the name here, some of the key information in it contains the UniswapLP and UniswapLP.com URLs, which on closer inspection is not the official Uniswap URL after looked through carefully it you will find the official website is very similar.
2.The Uniswap V3: Positions NFT (UNI-V3-POS) contract call via the attack contract to send funds named ($ UniswapLP.com (UniswapLP.com)) to the victim’s address.
This step is also the key to the phishing attack, by sending Token funds named ($ UniswapLP.com (UniswapLP.com)), it will give the recipient of the funds the illusion that Uniswap V3 has sent UniswapLP.com to the recipient’s address, at which point the attacker may visit the UniswapLP.com website and proceed to the next step.
New to trading? Try crypto trading bots or copy trading
3. The victim clicks on the URL and authorizes his funds to the attacker’s pre-written address. See below the specific actions of one of the victims. The victim performs multiple setApprovalForAll authorizations.
View details of any transaction
It can be clearly seen that the victim calls the setApprovalForAll method of the Uniswap V3: Positions NFT contract to authorize his NFT assets to the attacker’s address.
4. After successful authorization, the attacker uses the authorized account to transfer the victim’s NFT assets out.
5.The attacker converts NFT assets to ETH via the Uniswap V3: Positions NFT contract.
The attackers eventually transferred the 7,500 ETH acquired to the Tornado.Cash mash platform.
0x04 Summary
The above event reveals that the attackers mainly use a mixture of social engineering and social phishing to lure users to click on phishing websites and authorize their NFTs. However, unlike most previous phishing events, the initial phase of this phishing attack unfolded in the blockchain browser, confusing users by faking contract names and coin offerings, and eventually luring users to authorize their NFT assets.
Security advice
- When visiting an unspecified website, it is important to check carefully that it is the intended official website.
- If you think you’ve been impacted by one of these scams, make sure to revoke access to all of your NFTs through https://revoke.cash or transfer them out ASAP to a hardware wallet.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing
