Two Uniswap users handed over $8 million in bitcoin and ether after airdrop scammers tempted them with just $2,000 worth of the exchange’s native UNI token.
On Monday, a phishing scam targeted Uniswap’s V3 liquidity providers (LP) — crypto holders who provide the exchange with the capital it needs to facilitate trades.
The hacker(s) sent scam tokens embedded with a smart contract that was programmed to drain crypto wallets to nearly 75,000 users.
Blockchain analytics firm PeckShield told CNET that one wallet lost 2,444 ETH ($2.5 million) and 201 BTC ($3.8 million). A second unlucky trader handed over 834 ETH ($850,000) and 39 BTC ($740,000).
The stolen funds, totalling $8 million, were all converted to ETH before being sent to crypto mixer Tornado Cash.
According to Metamask security engineer Harry Denley, the hackers spent 8.53 ETH ($8,700) in gas fees to bombard 74,800 LPs with fake tokens that pointed to a malicious URL.
If they followed the URL, users were met with a message claiming they’d receive a UNI airdrop based on their stake in the Uniswap liquidity pool — LPs receive a token in the form of an NFT acknowledging their stake.
The website stated that more than 70,000 users had been invited to the airdrop but that there were only 10,000 UNI available. Etherscan data purports to show outgoing transfers worth 400 UNI ($2,000) each to tens of thousands of addresses that have all since been red-listed by the blockchain explorer.
Upon clicking the link to claim the tokens, the unwitting LP was prompted to sign a ‘setApprovalForAll()’ contract that allowed the scammer to access and drain their liquidity position.
Uniswap’s real airdrop bastardized by scammers
Binance chief exec Changpeng Zhao was quick to tweet about the problem, alluding to an exploit of Uniswap’s protocol. However, he later admitted to being a little trigger-happy and apologized for creating panic.
In a tweet on Tuesday, blockchain security firm PeckShield stated that the fake tokens were sent to some big names in the crypto world including Vitalik Buterin and Justin Sun.
It’s been suggested that this latest grift may have been inspired by previous legit Uniswap airdrops. In September 2020, the exchange offered up 49 million UNI tokens to V1 and V2 liquidity providers.
And Uniswap isn’t alone in being a target for these types of attacks. The beleaguered Bored Ape Yacht Club (BAYC) has been hit by a number of phishing scams, including a recent fake airdrop of its ApeCoin token.
Hackers stole millions of dollars worth of NFTs after commandeering official social media accounts to post a phishing link offering access to an ApeCoin airdrop.