If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
1/

Jhon sees a fancy new farming scheme called UniCats, and decides to put some money in. Who knows, it might be the next YFI
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd
Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not
”
And approves the transaction

And approves the transaction
Jhon farms some $MEOW, and thinks, yea, I’m done with this game. I’ll pull out all my UNI and retire now
https://etherscan.io/tx/0x751ae0fba597496f057426672fb736efdc837aa0860f1d626b4e7dd6e9052c80 https://etherscan.io/tx/0xaf90d9ff2e9dc63ef6c6082a18214f991cc52493b0cc5c47d84590faac798f42
https://etherscan.io/tx/0x751ae0fba597496f057426672fb736efdc837aa0860f1d626b4e7dd6e9052c80 https://etherscan.io/tx/0xaf90d9ff2e9dc63ef6c6082a18214f991cc52493b0cc5c47d84590faac798f42
What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
Introducing UniCat
, the owner of the UniCats farm. UniCat is a greedy bastard. Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.

UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address.
So UniCat calls the setGovernance method, with a call to the UNI token, and the instruction to transfer Jhon’s tokens to the farm.
The passed tokens are then swapped to ETH on Uniswap.
https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
The passed tokens are then swapped to ETH on Uniswap.
https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
Jhon loses 26K UNI, and then another 10K UNI while they sleep
https://etherscan.io/tx/0x638f3c364c730a66eacdb33317f4bc7c4e562c36678ad2cebd4a0caab3baffd6/advanced
https://etherscan.io/tx/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
https://etherscan.io/tx/0x638f3c364c730a66eacdb33317f4bc7c4e562c36678ad2cebd4a0caab3baffd6/advanced
https://etherscan.io/tx/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
UniCat is a cunning bastard. To cover their tracks, for each new victim, it creates a new smart contract and passes the ownership of the farm to the new contract. https://etherscan.io/tx/0xfc15dfea888baf71e87eed0ee6f065003bb21e80e3f79e95de38696c9af9ffaf/advanced#eventlog
Each new contract fishes out some funds, swaps them on Uniswap, and passes them to and address owned by UniCat. Stolen ETH are then moved into @TornadoCash , in bulks of 100ETH before moving on to the next victim https://etherscan.io/tx/0x3d5b4f7c64956ff71c6f5883f95a7d8add233d7f792619056bc4805cb1f7467e
Jhon Doe wakes up to figure out that half of their UNI holdings are gone, swears off farming, and moves all their funds out of the account.
UniCat continues to fish for more victims https://etherscan.io/tx/0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72/advanced
UniCat continues to fish for more victims https://etherscan.io/tx/0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72/advanced
Epiloge:
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/
Never approve more than you need especially for unaudited contracts
Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/
Never approve more than you need especially for unaudited contracts
Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978