A sophisticated phishing campaign targeting liquidity providers (LPs) of the Uniswap v3 protocol has seen attackers make off with at least $4.7 million worth of Ether (ETH). However, the community is reporting the losses could be even greater.
MetaMask security researcher Harry Denley was one of the first to raise the alarm bells of the attack, telling his 13,000 Twitter followers on Monday that 73,399 addresses had been sent malicious ERC-20 tokens to steal their assets.
⚠️ As of block 151,223,32, there has been 73,399 address that have been sent a malicious token to target their assets, under the false impression of a $UNI airdrop based on their LP's— harry.eth (whg.eth) (@sniko_) July 11, 2022
Activity started ~2H ago
cc: @Uniswap @etherscan pic.twitter.com/5W51AikFuV
At least $4.7 million in ETH has been lost in the attack, according to a Twitter post from Binance CEO Changpeng “CZ” Zhao. However, there are also reports among the crypto community that there may be more significant losses from the incursion.
Prominent Crypto Twitter user 0xSisyphus noted on Monday that a “large LP” with around 16,140 ETH, worth $17.5 million, may have also been phished.
did a large LP get phished?https://t.co/3n6oruM8Hj— Sisyphus (@0xSisyphus) July 11, 2022
the v3 NFTs in 0x09b5 all originated from this wallet which has 16k ETH ($18m) sitting in it
How it works
According to Denley, the phishing attack works by sending unsuspecting users a “malicious token” called “UniswapLP” — made to appear as coming from the legitimate “Uniswap V3: Positions NFT” contract by manipulating the “From” field in the blockchain transaction explorer.
Users curious about their new tokens would be directed to a website purporting to allow them to swap their new tokens for Uniswap (UNI), worth $5.34 each at the time of writing.
The website would instead send the users’ address and browser client info to the attackers’ command center, which would also attempt to drain cryptocurrency from their wallets.
On Wednesday, Uniswap Labs added its own detailed explanation on Twitter about how the scam worked, emphasizing that the incident was part of a phishing scam, not an exploit.
1/ Yesterday, some Uniswap LPs unfortunately fell for a phishing scam, a problem far too common in crypto today. To be clear: there was no exploit. The Protocol always was — and remains — secure. Here’s what happened.— Uniswap Labs (@Uniswap) July 12, 2022
Not an exploit
Binance’s CEO Zhao created some waves in the crypto markets when he first sounded alarms about the attack, calling it a “potential exploit” of the Uniswap protocol on the Ethereum blockchain.
Zhao clarified soon after the post with another update, sharing a conversation with the Uniswap team, who noted the attack was part of a phishing attack rather than any issue with the protocol.
Connected with the @uniswap team. The protocol is safe.— CZ Binance (@cz_binance) July 11, 2022
The attack looks like from a phishing attack. Both teams responded quickly. All good. Sorry for the alarm.
Learn to protect yourself from phishing. Don't click on links. pic.twitter.com/FIXebz3iBC
CZ’s initial alarming comments coincided with a sharp drop in the Uniswap price, which fell to a 24-hour low of $5.34. The price of UNI has since recovered following the clarification to $5.48 at the time of writing but is still down 11% in 24 hours and is 87.8% down from its all-time-high.
Update: Added the Twitter thread from Uniswap Labs explaining how the phishing scam works.