Uniswap liquidity provider hacked for $8 million in phishing attack

Quick Take

  • A liquidity provider on Uniswap lost $8 million in a phishing attack.
  • The victim had mistakenly given access to the hacker through a fake airdrop.

On Monday, an unknown hacker reportedly stole from a wallet believed to be a liquidity provider on the Uniswap decentralized exchange (DEX). 

Smart contract security firm PeckShield told The Block that the liquidity provider had fallen victim to a phishing tactic, which allowed the hacker to steal more than 7,500 ether ($8 million). 

Prior to the incident, the hacker targeted the victim using a fake Uniswap airdrop token as a phishing bait. When the victim claimed the token, they interacted with a malicious smart contract that inadvertently gave the hacker full control over the victim's wallet.

At the time of the attack, the wallet was providing $8 million to a WBTC/USDC liquidity pool on Uniswap version 3 (making it a liquidity provider, or LP).

After gaining illegitimate access to the wallet, the hacker exited the user’s liquidity position, swapped the assets and transferred them out. While doing this, the hacker routed the funds through Tornado Cash, a transaction mixer on the Ethereum network.

Binance CEO Changpeng Zhao was the first to flag the incident. In a Twitter post, he initially claimed that there was a potential exploit in the protocol itself, before later making an update that noted that wasn't the case — and that it was just a phishing attack.

Uniswap founder Hayden Adams concurred, saying that the phishing attack was “totally separate from the protocol.”

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.