Read on Twitter
If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Rückhand Zeigefinger nach unten" aria-label="Emoji: Rückhand Zeigefinger nach unten">
1/
Jhon sees a fancy new farming scheme called UniCats, and decides to put some money in. Who knows, it might be the next YFI
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd">https://etherscan.io/address/0...
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd">https://etherscan.io/address/0...
Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷♂️" title="Achselzuckender Mann" aria-label="Emoji: Achselzuckender Mann">”
And approves the transaction
And approves the transaction
”And approves the transaction" title="Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷♂️" title="Achselzuckender Mann" aria-label="Emoji: Achselzuckender Mann">”And approves the transaction" class="img-responsive" style="max-width:100%;"/>
Jhon farms some $MEOW, and thinks, yea, I’m done with this game. I’ll pull out all my UNI and retire now
https://etherscan.io/tx/0x751ae0fba597496f057426672fb736efdc837aa0860f1d626b4e7dd6e9052c80">https://etherscan.io/tx/0x751a... https://etherscan.io/tx/0xaf90d9ff2e9dc63ef6c6082a18214f991cc52493b0cc5c47d84590faac798f42">https://etherscan.io/tx/0xaf90...
https://etherscan.io/tx/0x751ae0fba597496f057426672fb736efdc837aa0860f1d626b4e7dd6e9052c80">https://etherscan.io/tx/0x751a... https://etherscan.io/tx/0xaf90d9ff2e9dc63ef6c6082a18214f991cc52493b0cc5c47d84590faac798f42">https://etherscan.io/tx/0xaf90...
What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
Introducing UniCat https://abs.twimg.com/emoji/v2/... draggable="false" alt="👿" title="Teufelchen" aria-label="Emoji: Teufelchen">, the owner of the UniCats farm. UniCat is a greedy bastard. Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.
UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address.
So UniCat calls the setGovernance method, with a call to the UNI token, and the instruction to transfer Jhon’s tokens to the farm.
The passed tokens are then swapped to ETH on Uniswap.
https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f">https://ethtx.info/mainnet/0...
The passed tokens are then swapped to ETH on Uniswap.
https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f">https://ethtx.info/mainnet/0...
Jhon loses 26K UNI, and then another 10K UNI while they sleep
https://etherscan.io/tx/0x638f3c364c730a66eacdb33317f4bc7c4e562c36678ad2cebd4a0caab3baffd6/advanced
https://etherscan.io/tx/0x638f... href=" https://etherscan.io/tx/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f">https://etherscan.io/tx/0x479f...
https://etherscan.io/tx/0x638f3c364c730a66eacdb33317f4bc7c4e562c36678ad2cebd4a0caab3baffd6/advanced
https://etherscan.io/tx/0x479f..." title="Jhon loses 26K UNI, and then another 10K UNI while they sleep https://etherscan.io/tx/0x638f... href=" https://etherscan.io/tx/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f">https://etherscan.io/tx/0x479f..." class="img-responsive" style="max-width:100%;"/>
UniCat is a cunning bastard. To cover their tracks, for each new victim, it creates a new smart contract and passes the ownership of the farm to the new contract. #eventlog">https://etherscan.io/tx/0xfc15dfea888baf71e87eed0ee6f065003bb21e80e3f79e95de38696c9af9ffaf/advanced #eventlog">https://etherscan.io/tx/0xfc15...
Each new contract fishes out some funds, swaps them on Uniswap, and passes them to and address owned by UniCat. Stolen ETH are then moved into @TornadoCash , in bulks of 100ETH before moving on to the next victim https://etherscan.io/tx/0x3d5b4f7c64956ff71c6f5883f95a7d8add233d7f792619056bc4805cb1f7467e">https://etherscan.io/tx/0x3d5b...
Jhon Doe wakes up to figure out that half of their UNI holdings are gone, swears off farming, and moves all their funds out of the account.
UniCat continues to fish for more victims https://etherscan.io/tx/0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72/advanced">https://etherscan.io/tx/0x6eb5...
UniCat continues to fish for more victims https://etherscan.io/tx/0x6eb5b27d9985371e115f7c75d067e83efe69edc20d3c35415a3973e850e83a72/advanced">https://etherscan.io/tx/0x6eb5...
Epiloge:
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/
Never">https://tac.dappstar.io/... approve more than you need especially for unaudited contracts
Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978">https://medium.com/zengo/bad...
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/
Never">https://tac.dappstar.io/... approve more than you need especially for unaudited contracts
Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978">https://medium.com/zengo/bad...
