More than 4,000 ETH stolen on Uniswap V3

Yesterday, Binance founder and CEO Changpeng CZ Zhao revealed that there was a potential exploit on Uniswap V3 due to which 4,295 ETH were stolen.

4,295 ETH (Ethereum) corresponds to about $4.5 million, and would be laundered through Tornado Cash

However, this would not be the result of an actual hack, or a bug, but a phishing campaign

What is phishing?

Phishing is a technique adopted by some scammers who manage to convince users to give them their login credentials voluntarily, often posing as legitimate operators. 

The most commonly used phishing technique is that of a fake site that faithfully replicates another in order to induce the unlucky parties to enter their login credentials believing it to be the legitimate website. 

In this specific case, It would appear that Uniswap v3 protocol liquidity providers (LPs) were targeted. According to some community members, the losses may be greater than those highlighted by CZ. 

One explanation was provided by MetaMask security researcher Harry Denley, who was already reporting on Monday that 73,399 addresses were sent a malicious token passed off as a UNI airdrop (Uniswap’s governance token). 

Fake Uniswap V3 

The malicious smart contract was pretending that the source of these tokens was “Uniswap V3: Positions NFT”, while the name of the token led back to the domain uniswaplp.com, which has nothing to do with Uniswap but pretended to be the DEX

This website then required users to send their real tokens to the hackers’ address. On Monday, Denley pointed out that with this technique the hackers had already taken possession of ETH, ERC20 tokens and NFTs totaling $30,000

It was later discovered that the address that created the fake NFTs contained more than 16,000 ETH, or more than $18 million. 

CZ himself later had to rectify his first tweet and said that it was not an exploit, confirming the phishing attack hypothesis, admitting that the Uniswap V3 protocol is secure, and offering an apology. 


Source: https://en.cryptonomist.ch/2022/07/13/4000-eth-stolen-uniswap-v3/