If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
👇
Jhon sees a fancy new farming scheme called UniCats, and decides to put some money in. Who knows, it might be the next YFI
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd
Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not 🤷‍♂️

And approves the transaction
Jhon farms some $MEOW, and thinks, yea, I’m done with this game. I’ll pull out all my UNI and retire now

https://etherscan.io/tx/0x751ae0fba597496f057426672fb736efdc837aa0860f1d626b4e7dd6e9052c80 https://etherscan.io/tx/0xaf90d9ff2e9dc63ef6c6082a18214f991cc52493b0cc5c47d84590faac798f42
Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0xaf90d9ff2e9dc63ef6c6082a18214f991cc52493b0cc5c47d84590faac798f42. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

https://etherscan.io/tx/0x751ae0fba597496f057426672fb736efdc837aa0860f1d626b4e7dd6e9052c80
What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
Introducing UniCat 👿, the owner of the UniCats farm. UniCat is a greedy bastard. Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.
UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address.
So UniCat calls the setGovernance method, with a call to the UNI token, and the instruction to transfer Jhon’s tokens to the farm.
The passed tokens are then swapped to ETH on Uniswap.

https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
Jhon loses 26K UNI, and then another 10K UNI while they sleep

https://etherscan.io/tx/0x638f3c364c730a66eacdb33317f4bc7c4e562c36678ad2cebd4a0caab3baffd6/advanced

https://etherscan.io/tx/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f
UniCat is a cunning bastard. To cover their tracks, for each new victim, it creates a new smart contract and passes the ownership of the farm to the new contract. https://etherscan.io/tx/0xfc15dfea888baf71e87eed0ee6f065003bb21e80e3f79e95de38696c9af9ffaf/advanced#eventlog
Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0xfc15dfea888baf71e87eed0ee6f065003bb21e80e3f79e95de38696c9af9ffaf. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

https://etherscan.io/tx/0xfc15dfea888baf71e87eed0ee6f065003bb21e80e3f79e95de38696c9af9ffaf/advanced#eventlog
Each new contract fishes out some funds, swaps them on Uniswap, and passes them to and address owned by UniCat. Stolen ETH are then moved into @TornadoCash , in bulks of 100ETH before moving on to the next victim https://etherscan.io/tx/0x3d5b4f7c64956ff71c6f5883f95a7d8add233d7f792619056bc4805cb1f7467e
Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0x3d5b4f7c64956ff71c6f5883f95a7d8add233d7f792619056bc4805cb1f7467e. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

https://etherscan.io/tx/0x3d5b4f7c64956ff71c6f5883f95a7d8add233d7f792619056bc4805cb1f7467e
Jhon Doe wakes up to figure out that half of their UNI holdings are gone, swears off farming, and moves all their funds out of the account.

UniCat continues to fish for more victims https://etherscan.io/tx/0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72/advanced
Ethereum Transaction Hash (Txhash) Details | Etherscan

Ethereum (ETH) detailed transaction info for txhash 0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72. The transaction status, block confirmation, gas fee, Ether (ETH), and token...

https://etherscan.io/tx/0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72/advanced
Epiloge:
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/ 

Never approve more than you need especially for unaudited contracts

Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978
baDAPProve: DeFi’s Open Secret Security Issue and How ZenGo Solves it

Introduction

https://tac.dappstar.io/#/
You can follow @amanusk_.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more