Menu
Browse

Cyber Incident Victim: Uniswap

Date:

Jul 2022

Location:

United States of America

Summary

A phishing attack targeting Uniswap deceived users by distributing fraudulent ERC20 tokens impersonating an airdrop, directing recipients to a malicious domain mimicking the legitimate platform. Victims were tricked into approving a transaction granting attackers full access to their wallets via the "setApprovalForAll" function, enabling the theft of 7,574 ETH (approximately $8 million). The stolen funds were rapidly laundered through Tornado Cash. The decentralized exchange confirmed its protocol remained secure, attributing losses solely to user manipulation through the phishing scheme, which exploited spoofed sender data and a counterfeit website to falsely display Uniswap as the transaction originator.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actors Type Location
0 actors Available to members Available to members

Description

On July 11, 2022, attackers executed a large-scale phishing campaign targeting Uniswap liquidity providers (LPs), resulting in the theft of approximately $8 million worth of Ethereum. The threat actors created a fraudulent ERC20 token and distributed it via airdrop to 73,399 addresses holding UNI tokens, spending 8.5 ETH in transaction fees to facilitate the mass distribution. Recipients were directed to a phishing domain, "uniswaplp[.]com," designed to mimic Uniswap's legitimate "uniswap.org" domain. The scam website displayed a deceptive interface impersonating "Uniswap V3: Positions NFT," prompting users to click a "Click here to claim" button that appeared to offer free UNI tokens. This action triggered a malicious transaction containing a masked "setApprovalForAll" function, which granted the attackers full control over victims' wallets upon approval. Researchers later identified that the attackers abused the emit function of their contract to falsify transaction data, causing block explorers to display "Uniswap" as the sender address and enhance the scam's credibility.

Cyber Incident Image

The attackers successfully drained 7,574 ETH from compromised wallets, transferring 7,500 ETH to the Tornado Cash mixing service shortly after the theft. Uniswap Labs confirmed via Twitter that the protocol itself remained secure and had not suffered any exploit, characterizing the incident as a phishing scam common within the cryptocurrency ecosystem. MetaMask responded by adding the malicious domain to its warning list to prevent further victimization. The attack exclusively targeted Uniswap v3 LP tokens, which the attackers redeemed for ETH from victim wallets after gaining approval access. No vulnerabilities in Uniswap's smart contracts or infrastructure were leveraged, as the theft relied entirely on social engineering tactics deceiving users into authorizing malicious transactions. The incident highlighted the risks associated with unauthorized airdrops and domain impersonation in decentralized finance ecosystems.

Sources
Sources available to members
1 source