An Ethereum investor in UNI Token has lost $140k in the new yield farming project UniCats. According to the report from crypto wallet ZenGo researcher, Alex Manuskin, the investor had stumbled upon a new yield farming project known as UniCats, he decided to move some UNI Tokens, a governance token for Uniswap exchange to the liquidity pool.
The user Jhon Doe must have thought in his mind that this must be the next YFI, a Defi experimental project that pumped from zero to over $40k within the space of 2months. As Doe was interacting with the platform, he was asked to give permission to spend an unlimited number of Tokens. Since that is not noted to be a common practice in the Defi world, Doe gave permission to it.
“What Jhon doesn’t know, is that once you approved the contract to use [infinite] tokens, the contract can take their tokens at any time. Even after they were withdrawn from the farming scheme,” said Manuskin.
So with this backdoor code, UniCats owner was able to use the “set governance “command to move the tokens even after Doe had stopped providing liquidity. The funds were moved twice, first 26,000 UNI and 10,000 UNI which amounts to $140k.They were later swapped for more than 416 Weth on UniSwap.
It is disheartening to know that Doe was not the only victim of the scam. The wallet where funds were moved to were seen to also contain $50k from other victims.
“The $140,000 are just from one victim. The culprit made at least $50,000 more from other victims. Might be even more, it is a bit difficult to quantify as it is in separate transactions,” Manuskin.