Users of Uniswap(UNI), the largest decentralized exchange (DEX) operating on the Ethereum (ETH) blockchain, have fallen victim to a sophisticated phishing attack, reportedly losing over USD 8.1m worth of assets. Meanwhile, Binance CEO Changpeng Zhao (CZ) falsely alarmed about the incident, claiming that the protocol itself was exploited.
The phishing attack attempted to rob users of their assets under the false impression of a UNI airdrop, according to Metamask security analyst Harry Denley. He claimed that at least 73,399 addresses have been sent a malicious token to target their assets.
The hacker is said to have executed the phishing campaign on a major Uniswap V3 liquidity pool (LP). They seemingly sent a malicious token to addresses acting under the false pretense of a UNI airdrop in an attempt to get users to sign the transaction.
"First, the malicious contract pollutes the event data so that block explorers index the "From" as the legitimate "Uniswap V3: Positions NFT" contract," Denley detailed, noting that when a user sees that "Uniswap V3: Positions NFT" sent them a token, they would get curious and check the token.
The token name directs users to a domain that imitates the real Uniswap branding. The website then executes a function that tries to steal the users' assets.
According to on-chain data of the address identified as the attacker, a total of ETH 7,500 (USD 8.1m) has been laundered through crypto mixing service Tornado Cash. The address currently holds just ETH 70.
Binance CEO CZ initially falsely alarmed about the incident, saying that the protocol itself was exploited. "Our threat intel detected a potential exploit on Uniswap V3 on the ETH blockchain," he said in a tweet.
However, CZ later confirmed
Read more on cryptonews.com