Uniswap liquidity provider hacked for $8 million in phishing attack

Quick Take

  • A liquidity provider on Uniswap lost $8 million in a phishing attack.
  • The victim had mistakenly given access to the hacker through a fake airdrop.

On Monday, an unknown hacker reportedly stole from a wallet believed to be a liquidity provider on the Uniswap decentralized exchange (DEX). 

Smart contract security firm PeckShield told The Block that the liquidity provider had fallen victim to a phishing tactic, which allowed the hacker to steal more than 7,500 ether ($8 million). 

Prior to the incident, the hacker targeted the victim using a fake Uniswap airdrop token as a phishing bait. When the victim claimed the token, they interacted with a malicious smart contract that inadvertently gave the hacker full control over the victim's wallet.

At the time of the attack, the wallet was providing $8 million to a WBTC/USDC liquidity pool on Uniswap version 3 (making it a liquidity provider, or LP).

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

After gaining illegitimate access to the wallet, the hacker exited the user’s liquidity position, swapped the assets and transferred them out. While doing this, the hacker routed the funds through Tornado Cash, a transaction mixer on the Ethereum network.

Binance CEO Changpeng Zhao was the first to flag the incident. In a Twitter post, he initially claimed that there was a potential exploit in the protocol itself, before later making an update that noted that wasn't the case — and that it was just a phishing attack.

Uniswap founder Hayden Adams concurred, saying that the phishing attack was “totally separate from the protocol.”


© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Vishal Chawla is The Block’s crypto ecosystems editor and has spent over six years covering tech protocols, cybersecurity, artificial intelligence and cloud computing. Vishal likes to delve deep into blockchain intricacies to ensure readers are well-informed about the continuously evolving crypto landscape. He is also a staunch advocate for rigorous security practices in the space. Before joining The Block, Vishal held positions at IDG ComputerWorld, CIO, and Crypto Briefing. He can be reached on Twitter at @vishal4c and via email at [email protected]