Some UniCats users have seen their entire token balance melt due to a malicious contract.
Yield farming users lose money after trusting DeFiNottide developer
Some yield farming users who were looking for quick profits have recently been misled by a DeFi protocol called UniCats – a scheme reminiscent of other more famous protocols like SushiSwap or Yam Finance.
According to ZenGo researcher Alex Manuskin, at least one of his users lost more than $140,000 in Uniswap UNI tokens, even after removing their funds from the protocol. Other users lost another $50,000, Manuskin told the Cointelegraph.
Users were victims of a malicious practice commonly seen in the DeFi sector, where most protocols ask for permission to remove unlimited amounts of a specific token from a client’s portfolio.
As the Cointelegraph previously published, decentralised applications such as Compound, Uniswap, Kyber and others usually have infinite permissions. This allows smart contracts to transact as much of a particular token as they want on behalf of each wallet owner.
Some portfolios will allow users to manually set an approved value, although this is usually set as the maximum possible value by default.
This was the case with UniCats, Manuskin explained: „What happened was not only a carpet tug and a farce, but also went after all the tokens approved by users.
‚No current blockchain can load all DeFi,‘ says MyEtherWallet founder
The UniCats contract contained a hidden function called „setGovernance“, which allows Bitcoin Loophole Scam its owner to operate any function on behalf of the contract. As users granted infinite approvals to this contract, the developer was able to drain all UNI balances from its users.
The tokens were immediately sold by Ether (ETH), who were then sent to Tornado Cash to be mixed, leading many to question whether the actions were premeditated.
DeFi Tokens are in overdraft, but revenue and TVL show that traders expect recovery
The incident highlights the importance of delegating funds only to approved and reliable projects. In the wake of yield farming mania, many lesser-known farms have been created to capitalise on the trend. Unfortunately, they were often pure money theft and had different types of backdoors. Many producers were harmed and their funds drained in similar incidents.
The difference for UniCats is that „builders“ are usually limited to tokens committed to the protocol. The infinite permission mechanism allows the contract to remove each token from the user’s wallet forever. The wallet is completely compromised until approval is withdrawn, which means that any new token sent to the address can be stolen in the same way.
The approval mechanism is required due to a limitation of the ERC-20 standard used by Ethereum tokens. DApps and smart contracts cannot detect whether a user has transferred funds to the contract. Therefore, the contract transfers the money on behalf of the user, which requires an approval. Newer standards, such as ERC-777, fix this flaw, although this type of token still has vulnerabilities and can become a victim of theft.
APY Finance’s yield farming platform secures $67 million in the first hour
The justification for setting infinite approvals is that users save on gas charges and time by not having to approve each transaction separately. However, as Bancor’s vulnerability showed in June, any compromise of a contract in the future exposes its users to theft, even if they have not interacted with the protocol for some time.
Translated with www.DeepL.com/Translator (free version)