A study administered by Alex Manuskin at ZenGo unveiled today on twitter that “yield farming” project UniCats purportedly stole approximately $200,000 worth of Uniswap (UNI) tokens from numerous ethereum users.
Manuskin concluded that UniCats appended a “backdoor” to the yield farming smart contract, which allowed the platform to have total control over its users’ tokens even after users withdrew it from the farming pool.
Manuskin explained how an anonymous user, named “Jhon Doe” for privacy reasons, apparently lost $140,000 worth of UNI due to this scam. The researcher considered that Doe would have fallen for the fraud under assuming that farming with UniCats would lead to “the next YFI” like success.
It is anticipated of yield farming Dapps to ask for users’ permission to spend an infinite number of tokens, and the user in question consented to a similar request seen in the image below:
Following this, the researcher used an etherscan tracking report to indicate that the user would have farmed “some $MEOW,” and then determined to pull out all UNI tokens from the pool. Manuskin explained the process in a tweet:
To hide their tracks, UniCats developers designed new smart contracts “for each new victim,” and that the developers moved bulks of stolen 100ETH into Tornado Cash, an experimental software and a privacy mixer for Ethereum which make the process of tracking the destination of funds extremely difficult.
In his analysis, Manuskin stated that this scam would be a first to take advantage of their farming pools’ protocols. Recently, Bancor, a decentralized liquidity provider, was under attack by hackers who found a similar backdoor vulnerability on its smart contract protocol, which led to a loss of user funds.