Uniswap V3 Was Hit By A Phishing Attack, Users Lost $4,7 Million

The crypto turmoil from the past month gave ideal conditions for hackers to deploy a malicious scam on Uniswap V3, which ultimately led to liquidity providers losing a total of $4,7 million.

The hacker stole 4,295 ETH by deploying a phishing attack on Uniswap V3’s liquidity providers as a false impression of a UNI airdrop. Interestingly, the CEO of the biggest crypto exchange to date – Binance’s Chanpeng “CZ” Zhao” told his Twitter followers that his threat detection intelligence team detected the malicious behavior, with the hacker laundering the stolen funds through Tornado Cash.

Zhao further explained that Uniswap’s DeFi grandfather position made it easier for the exchange to list the token, despite the policy of personally contacting the team behind each project Binance lists on its platform. However, Zhao’s Twitter update sparked a wave of controversy, especially from those, who lost their funds in some of the Binance hacks from 2019 and 2021.

Shortly after the initial Tweet, CZ posted his conversation with the Uniswap team, with Uniswap disclosing that the attack was not due to a flaw in the code of the DeFi platform, but rather a sophisticated phishing scam.

It turns out that the hacker somehow was able to change the event data on the blockchain mimicking  Uniswap token airdropping to liquidity providers on the platform. The contract directed investors to a Uniswap copycat website, and once users connected their wallets, their cryptos were drained from their wallets.

How it all worked out?

Security researcher at MetaMask Harry Denley, reverse engineered the attack and showed that the phishing campaign targeted native coins Ethereum, Binance Coin, and Uniswap LP positions. The hacker managed to get to around 74,800 wallet addresses, spending a total of 8.5 ETH (around $9,000) to reach his victims.

“First, the malicious contract pollutes the event data so that block explorers index the "From" as the legitimate "Uniswap V3: Positions NFT" contract. Now that an address sees that "Uniswap V3: Positions NFT" sent them a token (without knowledge of the event pollution attack), they would get curious and check the token. The website hosted by the bad actors then calls ethall() on document click. The contents of this function are obfuscated, however, we can assimilate that it does two things - send your address and browser client info to /66312712367123.com, and attempts to steal assets.” Denley added.

UNI price plummets

Immediately after the phishing attack news, Uniswap’s native UNI token took a hit, dropping over 10% in just a couple of hours. The market forces, however, reacted accordingly and currently, UNI has a price tag of $5.77 after recovering from a low of $5.31 per token.