If you are not yet convinced that you should NOT be approving infinite tokens to some random smart contract/Dapp, here’s a story of how Jhon Doe lost $140K worth of UNI in their sleep.
1/
https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇" title="Rückhand Zeigefinger nach unten" aria-label="Emoji: Rückhand Zeigefinger nach unten">
Jhon sees a fancy new farming scheme called UniCats, and decides to put some money in. Who knows, it might be the next YFI
https://etherscan.io/address/0xb246bcd5baac8e342941d0f803d528b6668e42cd">https://etherscan.io/address/0...
Jhon decides to deposit some $UNI, and gets the good old “Allow this Dapp to spend your UNI” message from Metamask, and thinks. “Oh, this again. Yeah, all the farming Dapps do that, why not https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤷‍♂️" title="Achselzuckender Mann" aria-label="Emoji: Achselzuckender Mann">”

And approves the transaction
What Jhon doesn’t know, is that once you approved the contract to use ∞ tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme.
Introducing UniCat https://abs.twimg.com/emoji/v2/... draggable="false" alt="👿" title="Teufelchen" aria-label="Emoji: Teufelchen">, the owner of the UniCats farm. UniCat is a greedy bastard. Not only was the whole thing a rug pull and a scam, it also wants to go after all the approved tokens of the users.
UniCat adds a backdoor to the farming contract. Anyone who is the owner can call the "setGovernance" method, with the privilege to call any passed data, to any address.
So UniCat calls the setGovernance method, with a call to the UNI token, and the instruction to transfer Jhon’s tokens to the farm.
The passed tokens are then swapped to ETH on Uniswap.

https://ethtx.info/mainnet/0x479f2ad79b096c4f30eae9a82785bf43bd3c908a1557a3e6e87405668980222f">https://ethtx.info/mainnet/0...
UniCat is a cunning bastard. To cover their tracks, for each new victim, it creates a new smart contract and passes the ownership of the farm to the new contract. #eventlog">https://etherscan.io/tx/0xfc15dfea888baf71e87eed0ee6f065003bb21e80e3f79e95de38696c9af9ffaf/advanced #eventlog">https://etherscan.io/tx/0xfc15...
Epiloge:
If you have ever used the UniCats contract, make sure to revoke every! token you have approved using tools e.g. https://tac.dappstar.io/#/ 

Never">https://tac.dappstar.io/... approve more than you need especially for unaudited contracts

Read our blog on how #baDAPProve works https://medium.com/zengo/badapprove-defis-open-secret-security-issue-and-how-zengo-solves-it-4eb8693a7978">https://medium.com/zengo/bad...
You can follow @amanusk_.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: