Scams are on the rise – With the popularity of Uniswap’s governance token, scams were to be expected to flourish. This is the case of UniCats, which takes advantage of the credulity of its users to siphon off their accounts.
UniCats: the scam in all its glory
On Monday, October 5, Alex Manuskin , researcher affiliated with ZenGo highlighted the UniCats scam behind the theft of at least $ 140,000 in UNI tokens .
This was presented as yet another yield farming protocol , which allows you to generate BitQT platform tokens by storing UNI tokens .
Manuskin tells us the story of an anonymous user nicknamed „Jhon Doe“ on this occasion. After discovering UniCats, Jhon decides to deposit his UNI tokens there, hoping to take part in the latest trendy yield farming protocol .
When Jhon interacts with the smart contract, it offers him to „allow this dApp to spend [his] UNI“ . A very common message in decentralized finance, which he accepts without asking any questions.
After having generated a few MEOW tokens, he said to himself that it is time for him to withdraw his UNI tokens , which he did. The story should end there, but it was without counting on the dishonesty of UniCat , the creator of UniCats.
Indeed, UniCat has coded a backdoor in the smart contract of its yield farming protocol , thanks to a method called “setGovernance” . This method allows it to call any data passed, at any address.
“UniCat therefore calls the setGovernance method, with a call to the UNI token and the instruction to transfer the tokens from Jhon to the farm. Passed tokens are then exchanged with ETH on Uniswap. „- Alex Manuskin
Thus, during his sleep, Jhon loses 26,000 UNI , then 10,000 UNI , in 2 separate transactions. The UniCat scammer thus retained control over all the funds delegated to the protocol, but also over all those stored on the original address of poor Jhon .
Once the funds have been recovered by UniCat and converted into ETH on Uniswap, they are sent to an address belonging to it via Tornado.cash , an application which allows to mix ETH and to anonymize transactions on Ethereum.
Be careful with the permissions!
This scam highlights a common problem in the DeFi ecosystem. Indeed, many smart contracts require permission to spend an infinite amount of tokens when you want to deposit funds.
A practice often criticized, but which continues despite everything. Thus, to protect yourself from such scams, it is advisable to define a maximum amount in the authorization passed to the smart contract.
In addition, it is always good to test the new protocols with a reduced sum, in order to ensure upstream that this one indeed offers the service that it advertises.