The Birth of UniCats
Due to the rapid growth of the Decentralized Finance (DeFi) market in the latter half of 2020, new DeFi projects started to spring up everywhere. Significantly, the price of governance tokens that projects issued skyrocketed upon listing, and the investors had rushed to make deposits without comprehensively verifying the project in hopes to mint more governance tokens in a short time.
Taking advantage of this situation, an incident in which the customer’s assets deposited were stolen occurred. A DeFi project named UniCats, which has identical features as SushiSwap, stole $200,000 worth of deposited assets using a smart contract’s backdoor feature.
It is nearly impossible for general users to identify the backdoor feature. Even if the users can see the contract codes, it is extremely hard to understand how the codes could function as a backdoor without the professional-level code analysis. To help readers understand, Hexlant Research has analyzed the series of codes functioned as a backdoor in UniCats’ smart contract.
Analysis of UniCats Backdoor
The majority of features on UniCats resemble those of SushiSwap. However, UniCats’ smart contract included a backdoor function, which made it different from SushiSwap’s smart contract.
UniCatFarm Contract: 0xB246bcD5bAac8E342941d0f803d528b6668E42Cd
UniCat Contract(MEOW): 0xec13f3c54feebfb0601934c9ff70a61ba8a8ed8f
Let’s look at how users participate in UniCats.
- To provide liquidity, users approve tokens on the UnicatFarm contract. Upon calling the approve function, the control over users’ tokens is automatically delegated to the contract.
- Users stake the token on the UniCatFarm pool to provide liquidity, and in return, they receive UniCats’ governance token MEOW as a reward for providing liquidity.
The above-mentioned processes are applicable to other DeFi projects in which users are rewarded for providing liquidity. However, UniCats has added setGovernance function to embezzle funds. setGovernance function is as follows.
If we take a closer look, we can see that it is a contract that calls byte data to the contract address by transferring the contract address as the first factor and byte data as the second factor. At first glance, it can be recognized as the contract codes added to implement governance function. However, UniCats used setGovernance and approve function (participatory process #1) to initiate a backdoor attack.
How the Attack was carried out
(Not only UNI tokens were stolen, but 10 other approved tokens used for building liquidity pools were also stolen from the attack)
This demonstrates how the backdoor attack was done using setGovernance and approve functions/
- To provide UNI tokens to the liquidity pool, users confirm Max approve from UNI contract to UniCatFarm contract. The following process can be regarded as participatory process #1. Through Max approve function, UniCatFarm contract is delegated with total control over users UNI tokens.
- After the sizable funds are deposited, an attacker steal UNI token by calling a contract with the following factors on setGovernance function.
setGovernance(Uni Token Contract, transferFrom(A,B,C))
A: User’s address (User address used to approve on UniCats)
B: Attacker’s address
C: Amount of UNI user owns
Conclusion
DeFi users must first approve to the main contract to provide liquidity or to swap. If there is a backdoor such as UniCats among the DeFi services that the user has approved, it is no different from handing the token to the attacker for free.
On top of this, it is estimated that UniCats was launched to specifically embezzle customers’ assets. setGovernance function can only be called by the contract owner, and the contract ownership was transferred 15 times since the release.
History of UniCats owner address
d264fa72cc12690e1cbca5052c803d28574bbf43
e795dc38ab305ed1af5f235745241de9d46c5335
d264fa72cc12690e1cbca5052c803d28574bbf43
e795dc38ab305ed1af5f235745241de9d46c5335
d264fa72cc12690e1cbca5052c803d28574bbf43
3b01feb685932f6197e5150b4a713008d28af8b0
d264fa72cc12690e1cbca5052c803d28574bbf43
31d1fda8101837cee95e34ccd663cb8331459c45
d264fa72cc12690e1cbca5052c803d28574bbf43
3797f5544e7f4d645624673a6218f6232e351fea
0deb2f1d0c758e6cda8a7001ec40473407d4d9d5
0cca2976f1803cd6565b20c650672e846c162d61
f7c3739e4df18f1424d66309f360834cb9944ce0
80a73f61533e92e9482c9b6885469c47bdc1a805
c23977870ad3dfdc22872241cdff8178255fd9c9
e3f647ee3a688218b4f2b55b997210e3d6b170ad
0000000000000000000000000000000000000001
It is nearly impossible for general users to acknowledge the malicious purpose behind DeFi projects specifically designed to embezzle assets. Therefore, it is recommended to use DeFi projects which have been verified by professionals in the industry.
Hexlant is a blockchain tech provider that focuses on the development of Octet, a cloud-based blockchain developer platform. Hexlant Research issues in-death reports periodically to offer insights on the blockchain market. Hexlant Research also offers a blockchain security audit called Hexlant Audit to detect and address any contract vulnerability in the early stages of project development.
Hexlant : https://www.hexlant.com/
Hexlant Research : https://hexlant.com/report/
Hexlant Octet : https://octet.hexlant.com/
