One of the mind-boggling aspects of crypto is airdrops because they literally create money from thin air. While they can come through and significantly boost your portfolio, some can wipe it clean. The latter is what happened to one Uniswap LP whale who accidentally got phished.
On July 11, 2022, scammers successfully hacked and made away with $4.7 million worth of ETH. The LP whale fell victim to a phishing attack that promised an airdrop of UNI tokens to all UNIv3 LPs. The hackers then proceeded to steal 4295 ETH (about $4.7 million) from his wallet.
The Hack Demystified
The malicious code makes the block explorers index the ‘From’ as the correct “Uniswap V3: Positions NFT” contract. A victim will see that “Uniswap V3: Positions NFT” sent them tokens. They will then curiously proceed to check the tokens. The token name would lead them to a domain “/uniswaplp.com”, which imitates the real Uniswap brand.
In this phishing attack, the victim saw an announcement on the fake Uniswap website (“/uniswaplp.com”) and proceeded to interact with it. When the victim clicks on the “click here to claim” button, the website, which is hosted by the hackers, calls the ethall() function. This function’s contents are not yet clear but the bottom line is it does two things:
- It sends the address of the victim and the browser client information to “/66312712367123.com”.
- It attempts to steal assets.
While the first action is estimated to be for the purposes of expanding their campaigns or for continued monitoring, the second action is the one that wipes the victim’s account clean. The ethall() function will try to steal assets by either calling the setApprovalForAll() function or asking the victim to send the native token to their address, which is 0x727a4BfE7FB2F70C218A2408709651706ec60A81.
The phishing attack code might also be designed to attack victims on Solana and probably Binance Smart Chain